I have written before about learning from others mistakes. I know many folks in the small CE and BA world brush off the news of the $1,700,000 Wellpoint Settlement as something that happens only to the big guys. There is so much to learn here, I hope you will take a minute to see why you shouldn’t brush it off. Here is another opportunity to learn from other’s mistakes where HIPAA is concerned. There is much more involved than most people realize.
There are a few conflicting reports on numbers and dates but I think I have an approximate timeline here:

• Oct 23, 2009 – A “third-party” installs a software upgrade to the website application allowing consumers to track their insurance applications. At that time, according to Wellpoint, the unnamed third party assured them the installation was fine and the proper security was back in place after the upgrade.
• Mar 8, 2010 – Wellpoint is notified by a consumer’s attorney they are filing suit against them. Soon after the upgrade a California woman discovered she could see other consumer’s information if she changed the URL (web address) including all their health records, financials and social security numbers. Wellpoint reports the problem was corrected within 12 hours of their learning it existed.
• June 18, 2010 – Wellpoint notified HHS of a breach. Notifications begin and reaches 470,000 individuals in June.
• Aug 6, 2010 – Notice is posted on the “Wall of Shame” as it was reported in June. Original number patients affected listed as 31,700 individuals.
• July 30, 2010 – Indiana State Attorneys General office contacts Wellpoint asking why they haven’t been notified per state law requirements. The State AG found out in the newspaper.
• Sept 9, 2010 – HHS notifies WellPoint they are opening an investigation of their compliance with the HIPAA Privacy, Security and Breach Rules.
• Oct 2010 – Indiana State Attorney General files lawsuit for breach notifications not being made to state.
• July 2011 – WellPoint settles with Indiana State Attorney General for $100,000
• July 2013 – WellPoint agrees to pay $1,700,000 to HHS for the breach that impermissibly disclosed information on 612,402 individuals.

There is so much to learn here.

• Your IT vendors are a critical link in your compliance. Trust but check them. That outside party certainly isn’t cruising along unscathed in this mess. WellPoint hasn’t named them but they are likely not doing business with them any longer and/or having them pay up. Whether they are an IT firm, software vendor or independent contractors you can be sure their business has been affected by this event. If they truly believed what they had done was acceptable they couldn’t be a HIPAA compliant vendor. If they were that negligent their HIPAA compliance processes are lax at best.
• All it takes is one person finding access or failure on an entities part to protect their data and everything is out of your control from that point forward. WellPoint certainly wouldn’t think one woman could cost them $1.8 million in fines, 2 years of legal processes and fees (which likely aren’t over), extensive costs in notifying 612,402 people who are then offered credit monitoring and other services plus who know what else yet to be addressed.
• It could have been worse. There is no Corrective Action Plan included in this settlement. That likely means WellPoint was doing most things right except when they did this upgrade. Do you want to guess what the fine and requirements would have been if they found big holes in the compliance processes altogether?
• Making an assumption about your information systems security and never testing it or confirming test data is just not good business sense. WellPoint is liable for this failure, not the outside vendor. Don’t just assume something is done. If they had simply made a plan with some checks and documentation in it this whole situation could likely have been avoided.
• Add more testing to your compliance plan. If you have a patient portal someone should be testing the security of it every time there is a change.
• Know your state laws. A notification under state laws in this case would have saved more legal fees and fines.

In the press release, HHS specifically points out that the outside vendor was a Business Associate who made a mistake. In the future, they would be liable for this mistake along with WellPoint. Neither party checked their work adequately. Here is the point they made very clear:

Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.

Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.

The only thing that would be different here for a small CE and their BA is the total numbers. Every other part of the equation could easily apply to any of you. How many chances do you get to take care of business before you end up with the Shoulda’, Coulda’, Woulda’ mantra?

Filed under: HIPAA Tagged: Breach Case, Breach Notification, Breach Notification Rule, Business Associate, Compliance, HIPAA, Security Rule, Small Provider