Aetna to pay $1 million in fines plus Corrective Action Plan for HIPAA breaches according to OCR HHS findings

Updated - December 8, 2020
aetna to pay 1 million in_fines for HIPAA breaches OCR HHS findings

Aetna has entered into a resolution agreement with the Office of the Civil Rights (OCR), U.S. Department of Health and Human Services (HHS) to pay $1 million as a result of 3 major HIPAA breaches that were committed by Aetna as a Covered Entity.

Apart from the monetary penalties, Aetna Corporation, and its subsidiaries entered into a Corrective Action Plan as imposed by the OCR under the duties under the Health Insurance Portability and Accountability Act (HIPAA).

Aetna Life Insurance company is an American managed business that offers insurance and other health-related products and services, such as medical, dental, pharmaceutical, and others. The plans they offer are primarily paid by the plan holder’s employers, either fully or partially, and through Medicare.

The HHS through its investigation found that Aetna has violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

These sanctions were imposed as a result of three breaches involving the company. One of which occurred on April 27, 2017, when Aetna offered a service through their website to its policyholders. The intention of the company was so that its customers can access their plan-related documents online through the website.

However, it was soon reported that there was no data privacy and security protection in place. The plan-holders’ information including other data became accessible to the public since there was no login credential requirement in place. Making the data vulnerable to whoever will access it. It was also reported that internet search engines were able to index said data for the same reason that it was openly accessible to everyone. Aetna has reported this breach to the OCR, indicating 5,002 individuals were affected.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule has been established to set national standards to protect the privacy of each individuals' medical records and other personal health information (PHI). Apart from the provisions on PHI privacy, HIPAA Privacy Rule also gives the patient’s right to access their respective health records.

The second breach concerning Aetna occurred on July 28, 2017, when they sent out postal mails to plan-holders, contained in a window type envelope, in which recipients complained that part of the correspondence content can be seen through the window envelope. This included very sensitive information such as texts regarding the Human Immunodeficiency Virus (HIV) medications. The OCR Resolution Agreement document showed that this particular incident affected 11,887 individuals.

The third incident was reported by Aetna in November 2017, indicating another breach related to impermissible disclosure of information occurred on September 25, 2017, when the company sent out correspondence to 1,600 Aetna plan-holders. The company sent out postal mails in envelopes that showed the name and logo of Atrial Fibrillation (abnormal heart rate and rhythm) of the study that these individuals were participating in.

What is the HIPAA Security Rule?

The HIPAA Security Rule was created to set national standards to protect individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires specific safeguards to ensure the confidentiality, integrity, and security of ePHI

The US Health and Human Services (HHS) investigations conducted due to above mentioned reported breaches and the OCR document enumerated the following findings:

  1. Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information (PHI) (mandated by 45 C.F.R. § 164.308(a)(8));
  2. Aetna failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed (mandated by 45 C.F.R. § 164.312(d));
  3. Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches (mandated by 45 C.F.R. § 164.502(a));
  4. Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure (mandated by 45 C.F.R. § 164.514(d));
  5. Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI (mandated by 45 C.F.R. § 164.530(c)).

Who has to comply with the HIPAA Privacy and HIPAA Security Rules?

The HIPAA Privacy and HIPAA Security Rules apply to both Covered Entities (e.g., medical doctor’s offices, dentists, chiropractors, physical therapists, long-term health facilities, etc.), and Business Associates (e.g., person or entity that performs certain functions that involve the use or disclosure of protected health information PHI on behalf of a covered entity such as legal; accounting; consulting; data aggregation; administrative; accreditation; and others).

Due to the above findings by the HHS, the OCR imposed that Aetna must pay the amount of $1,000,000, and must enter into and follow a Corrective Action Plan (CAP). Among the Corrective Action Obligations enumerated by the OCR that Aetna has to comply with are the following:

  1. Develop, maintain, and update Policies and Procedures.
  2. Distribution of Policies and Procedures.
  3. Observe and indicate the basic content of the policies and procedures, including;
    • Evaluation – as specified under 45 C.F.R. § 164.308(a)(8)
    • Person or Entity Authentication – as specified under 45 C.F.R. § 164.312(d)
    • Minimum Necessary Requirements – as specified under 45 C.F.R. § 164.514(d)
    • Safeguards – as specified under 45 C.F.R. § 164.530(c)
  4. Training on HIPAA related policies and procedures of Aetna’s workforce, particularly those who have access to their plan-holders’ PHI.
  5. Reportable Events – indicating if any personnel of Aetna’s workforce fails to comply with the terms and obligations indicated under the Corrective Action Plan, Aetna must investigate the matter and report the incident to HHS if a failure or violation has occurred.
Conclusion and recommendations from the point of HIPAA compliance:

No organization is too big nor too small, whether knowingly or unknowingly, with good intentions or otherwise, are exempted from complying with the mandated rules of HIPAA as instituted by the HHS.

Even established companies such as Aetna, with one, can only assume, highly sophisticated administrative and management capabilities, can be vulnerable and may fail to accomplish and/or follow specific obligations required under the HIPAA Privacy and HIPAA Security mandates.

No matter the size of an organization and business is, HIPAA regulations must be followed at all times, as it is a federal law. Needless to say, the elements of compliance can be numerous, complex, and tedious for most organizations to keep up with. The specific regulations mentioned above (i.e., 45 C.F.R. § 164.308(a)(8); 45 C.F.R. § 164.312(d); 45 C.F.R. § 164.514(d); 45 C.F.R. § 164.530(c)) are just a few of the HIPAA compliance requirements.

As a matter of complying with responsibilities and obligations for organizations and businesses involving health and medical products and services, whether categorized as Covered Entities, or Business Associates, it is a must to follow all regulations and set-up a compliance program.

For more information on HIPAA compliance or if your organization needs assistance with the HIPAA compliance requirements, CLICK HERE – Online HIPAA Compliance System by EPICompliance.

Find out if your organization is HIPAA Compliant. See the HIPAA Compliance Checklist – CLICK HERE.