On July 11, 2013, the Department of Health and Human Services announced that it reached a settlement with WellPoint Inc. related to potential violations of the HIPAA Privacy and Security Rules. In compliance with the HITECH Breach Notification Rule, WellPoint notified the HHS Office for Civil Rights that certain security weaknesses in one of its online application databases made available on the Internet protected health information (“PHI”) of over 600,000 individuals (including names, dates of birth, addresses, Social Security numbers, telephone numbers and health information). After receiving WellPoint’s report, HHS started an investigation and, ultimately, found that WellPoint failed to implement appropriate safeguards to procect PHI. Specifically, HHS determined that WellPoint failed to: (1) adequately implement policies and procedures for authorizing access to its online application databases (containing PHI); (2) perform an appropriate technical evaluation in response to a software upgrade that it recently conducted; (3) employ safeguards to verify the person or entity seeking access to PHI in its databases. Under the terms of a resolution agreement, WellPoint agreed to pay $1.7 million to settle the action.
Interestingly, at the end of the press release issued by HHS announcing the settlment, HHS stated that, “[b]eginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.” By including this statement in its press releave, HHS may have been sending a message to business associates that it intends to enforce compliance with this new HIPAA requirement.