The U.S. Department of Health and Human Services (HHS) announced yesterday that it has entered into a resolution agreement with a national managed care organization and health insurance company (hereinafter “Company”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Investigation and Resolution Agreement

The HHS Office for Civil Rights (OCR) conducted an investigation after receiving the Company’s breach report, a requirement for breaches of unsecured protected health information (PHI) pursuant to the Health Information Technology for Economic Clinical Health Act (HITECH) Breach Notification Rule.

The investigation indicated that the Company had not implemented appropriate administrative and technical safeguards required by the Security Rule; and as a result, security weaknesses in an online application database left electronic PHI (ePHI) of 612,042 individuals unsecured and accessible to unauthorized individuals over the internet. PHI at issue included names, dates of birth, addresses, social security numbers, telephone numbers, and health information. Specifically, with regard to ePHI maintained in its web-based application database, the Company did not:

1. Adequately implement policies and procedures for authorizing access to ePHI;
2. Perform an adequate technical evaluation in response to a software upgrade affecting the security of ePHI; or
3. Adequately implement technology to verify the identity of the person/entity seeking access to ePHI.

HHS and the Company entered into a resolution agreement, and the Company agreed to pay a $1.7 million settlement.  Notably, the resolution agreement did not include a corrective action plan for the Company.

Stepped up Enforcement

Beginning with the September 23, 2013 Omnibus Rule compliance date, HHS will have direct enforcement authority over business associates and subcontractors.  The settlement is an indication that HHS will not hesitate to extend enforcement actions to business associates and subcontractors.

The settlement is also a reminder of HHS expectations regarding compliance with HIPAA and HITECH standards.  HHS noted “whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.”

More information regarding the Omnibus Rule and its expanded liability is available here.