Aetna has entered into a resolution agreement with the Office of the Civil Rights (OCR), U.S. Department of Health and Human Services (HHS) to pay $1 million as a result of 3 major HIPAA breaches that were committed by Aetna as a Covered Entity.
Apart from the monetary penalties, Aetna Corporation, and its subsidiaries entered into a Corrective Action Plan as imposed by the OCR under the duties under the Health Insurance Portability and Accountability Act (HIPAA).
Aetna Life Insurance company is an American managed business that offers insurance and other health-related products and services, such as medical, dental, pharmaceutical, and others. The plans they offer are primarily paid by the plan holder’s employers, either fully or partially, and through Medicare.
The HHS through its investigation found that Aetna has violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
These sanctions were imposed as a result of three breaches involving the company. One of which occurred on April 27, 2017, when Aetna offered a service through their website to its policyholders. The intention of the company was so that its customers can access their plan-related documents online through the website.
However, it was soon reported that there was no data privacy and security protection in place. The plan-holders’ information including other data became accessible to the public since there was no login credential requirement in place. Making the data vulnerable to whoever will access it. It was also reported that internet search engines were able to index said data for the same reason that it was openly accessible to everyone. Aetna has reported this breach to the OCR, indicating 5,002 individuals were affected.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule has been established to set national standards to protect the privacy of each individuals' medical records and other personal health information (PHI). Apart from the provisions on PHI privacy, HIPAA Privacy Rule also gives the patient’s right to access their respective health records.
The second breach concerning Aetna occurred on July 28, 2017, when they sent out postal mails to plan-holders, contained in a window type envelope, in which recipients complained that part of the correspondence content can be seen through the window envelope. This included very sensitive information such as texts regarding the Human Immunodeficiency Virus (HIV) medications. The OCR Resolution Agreement document showed that this particular incident affected 11,887 individuals.
The third incident was reported by Aetna in November 2017, indicating another breach related to impermissible disclosure of information occurred on September 25, 2017, when the company sent out correspondence to 1,600 Aetna plan-holders. The company sent out postal mails in envelopes that showed the name and logo of Atrial Fibrillation (abnormal heart rate and rhythm) of the study that these individuals were participating in.
What is the HIPAA Security Rule?
The HIPAA Security Rule was created to set national standards to protect individuals’ electronic protected health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires specific safeguards to ensure the confidentiality, integrity, and security of ePHI
The US Health and Human Services (HHS) investigations conducted due to above mentioned reported breaches and the OCR document enumerated the following findings:
Who has to comply with the HIPAA Privacy and HIPAA Security Rules?
The HIPAA Privacy and HIPAA Security Rules apply to both Covered Entities (e.g., medical doctor’s offices, dentists, chiropractors, physical therapists, long-term health facilities, etc.), and Business Associates (e.g., person or entity that performs certain functions that involve the use or disclosure of protected health information PHI on behalf of a covered entity such as legal; accounting; consulting; data aggregation; administrative; accreditation; and others).
Due to the above findings by the HHS, the OCR imposed that Aetna must pay the amount of $1,000,000, and must enter into and follow a Corrective Action Plan (CAP). Among the Corrective Action Obligations enumerated by the OCR that Aetna has to comply with are the following:
No organization is too big nor too small, whether knowingly or unknowingly, with good intentions or otherwise, are exempted from complying with the mandated rules of HIPAA as instituted by the HHS.
Even established companies such as Aetna, with one, can only assume, highly sophisticated administrative and management capabilities, can be vulnerable and may fail to accomplish and/or follow specific obligations required under the HIPAA Privacy and HIPAA Security mandates.
No matter the size of an organization and business is, HIPAA regulations must be followed at all times, as it is a federal law. Needless to say, the elements of compliance can be numerous, complex, and tedious for most organizations to keep up with. The specific regulations mentioned above (i.e., 45 C.F.R. § 164.308(a)(8); 45 C.F.R. § 164.312(d); 45 C.F.R. § 164.514(d); 45 C.F.R. § 164.530(c)) are just a few of the HIPAA compliance requirements.
As a matter of complying with responsibilities and obligations for organizations and businesses involving health and medical products and services, whether categorized as Covered Entities, or Business Associates, it is a must to follow all regulations and set-up a compliance program.
For more information on HIPAA compliance or if your organization needs assistance with the HIPAA compliance requirements, CLICK HERE – Online HIPAA Compliance System by EPICompliance.
Find out if your organization is HIPAA Compliant. See the HIPAA Compliance Checklist – CLICK HERE.
References: