Wellpoint Resolution Agreement

597 views

Published on

The managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.



The investigation indicated WellPoint did not:

• adequately implement policies and procedures for authorizing access to the on-line application database

• perform an appropriate technical evaluation in response to a software upgrade to its information systems

• have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.



As a result, beginning on Oct. 23, 2009, until Mar. 7, 2010, the investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.



Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet. Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.



The Press Release can be found on the HHS News page: http://www.hhs.gov/news/press/2013pres/07/20130711b.html and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
597
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Wellpoint Resolution Agreement

  1. 1. RESOLUTION AGREEMENT I. Recitals 1. Parties The Parties to this Resolution Agreement (“Agreement”) are: A. The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), which enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). HHS has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and covered entities must cooperate with HHS’s investigation. 45 C.F.R. § 160.306(c) and § 160.310(b); and B. WellPoint, Inc., an Indiana corporation, on behalf of the health plans under its common ownership or control that have been designated as a single Affiliated Covered Entity pursuant to the Privacy Rule, 45 C.F.R. § 164.105(b). The members of the WellPoint Affiliated Covered Entity (hereinafter collectively referred to as “WellPoint”), each of which meet the definition of “covered entity” as a “health plan” under 45 C.F.R. § 160.103, are set forth in Appendix A, attached hereto and incorporated by reference HHS and WellPoint shall together be referred to herein as the “Parties.” 2. Factual Background and Covered Conduct On June 18, 2010, HHS received notification from WellPoint regarding a breach of certain of its unsecured electronic protected health information (ePHI). On September 9, 2010, HHS notified WellPoint of HHS’s investigation regarding WellPoint’s compliance with the Privacy, Security, and Breach Notification Rules. HHS’s investigation indicated that the following conduct occurred (“Covered Conduct”): (1) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the Security Rule. (2) WellPoint did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication
  2. 2. safeguards for its web-based application met the requirements of the Security Rule. (3) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed. (4) Beginning on October 23, 2009, until March 7, 2010, WellPoint impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database. 3. No Admission. This Agreement is not an admission of liability by WellPoint for actions arising out of the covered conduct. 4. No Concession. This Agreement is not a concession by HHS that WellPoint has not violated the Privacy or Security Rules or that WellPoint is not liable for civil money penalties. 5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve HHS Complaint No. 10-116170, and any violations of the HIPAA Privacy and Security Rules for the Covered Conduct specified in paragraph I.2. of this Agreement. In consideration of the Parties’ interest in avoiding the uncertainty, burden and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below. II. Terms and Conditions 1. Payment. WellPoint agrees to pay HHS the amount of $1,700,000.00 (“Resolution Amount”) by electronic funds transfer on or before July 11, 2013, pursuant to written instructions to be provided by HHS. 2. Release by HHS. In consideration of and conditioned upon WellPoint’s performance of its obligations under this Agreement, HHS releases WellPoint from any actions it has or may have against WellPoint under the Privacy and Security Rules for the Covered Conduct specified in paragraph I.2. of this Agreement. HHS does not release WellPoint from, nor waive any rights, obligations, or causes of action other than those for the Covered Conduct and referred to in this paragraph. This release does not extend to actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6. 3. Agreement by Released Party. WellPoint shall not contest the validity of its obligation to pay, nor the amount of, the Resolution Agreement or any other obligations agreed to under this Agreement. WellPoint waives all procedural rights granted under section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a), 45 C.F.R. Part 160, Subpart E; and HHS Claims Collection provisions, 45 C.F.R. Part 30,
  3. 3. including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount. 4. Binding on Successors. This Agreement is binding on WellPoint and its successors, heirs, transferees, and assigns. 5. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement. 6. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only and by this instrument the Parties do not release any claims against any other person or entity. 7. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement must be in writing and signed by both Parties. 8. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) on the date that both Parties sign this Agreement. 9. Disclosure. HHS places no restriction on the publication of this Agreement. This Agreement and information related to this Agreement may be made public by either Party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5 U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5. 10. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement. 11. Authorizations. The individual(s) signing this Agreement on behalf of WellPoint represent and warrant that the covered entity members of the WellPoint Affiliated Covered Entity, as set forth in Appendix A, have agreed to be bound by the terms of this Agreement and that he/she is authorized to execute this Agreement. The individual signing this Agreement on behalf of HHS represent and warrant that he is signing this Agreement in his official capacity and that he is authorized to execute this Agreement.
  4. 4. For WellPoint, Inc. - // - July 8, 2013 ______________________________ ____________________ Roy Mellinger Date Vice President & Chief Information Security Officer
  5. 5. For the United States Department of Health and Human Services - // - July 8, 2013 ______________________________ ____________________ Peter K. Chan Date Regional Manager, Region I Office for Civil Rights
  6. 6. APPENDIX A Schedule A: Affiliated Covered Entity Health Plans 1. Anthem Health Plans, Inc. 2. Anthem Health Plans of Kentucky, Inc. 3. Anthem Health Plans of Maine, Inc. 4. Anthem Health Plans of New Hampshire, Inc. 5. Anthem Health Plans of Virginia, Inc. 6. Anthem Insurance Companies, Inc. 7. Atlanta Healthcare Partners, Inc. 8. BC Life & Health Insurance Company 9. Blue Cross and Blue Shield of Georgia, Inc. 10. Blue Cross Blue Shield Healthcare Plan of Georgia, Inc. 11. Blue Cross Blue Shield of Wisconsin 12. Blue Cross of California 13. Blue Cross of California Partnership Plan, LLC 14. Community Insurance Company 15. Compcare Health Services Insurance Corporation 16. Empire HealthChoice Assurance, Inc. 17. Empire HealthChoice HMO, Inc 18. Golden West Health Plan, Inc. 19. HealthLink, Inc. 20. HealthLink HMO, Inc. 21. HealthKeepers, Inc. 22. Healthy Affiance Life Insurance Company 23. HMO Colorado, Inc. 24. HMO Missouri, Inc. 25. Matthew Thornton Health Plan, Inc. 26. MCS Health Management Options, Inc. 27. OneNation Insurance Company 28. Peninsula Health Care, Inc. 29. Priority Health Care, Inc. 30. RightCHOICE Insurance Company 31. Rocky Mountain Hospital and Medical Service, Inc. 32. UNICARE Health Benefit Services of Texas 33. UNICARE Life & Health Insurance Company 34. UNICARE Health Insurance Company of Texas 35. UNICARE Health Insurance Company of the Midwest 36. UNICARE Health Plan of Oklahoma, Inc. 37. UNICARE Health Plans of Texas, Inc. 38. UNICARE Health Plans of the Midwest, Inc. 39. UNICARE of Texas Health Plans, Inc. 40. WellChoice Insurance of New Jersey, Inc. 41. Anthem Health Plans of Virginia, Inc. Welfare Benefits Plans 42. Anthem Retiree Health Care Plan 43. Health Plans for Employees of WellPoint Health Networks, Inc. 44. WellPoint Health Plan for Wisconsin Based Retirees 45. Any other health plan covered entity that is or becomes controlled by WellPoint, Inc.
  7. 7. Schedule B Affiliated Covered Entity Pharmacies 1. Anthem Prescription Management, LLC; 2. Precision RX, Inc. 3. Any other pharmacy covered entity that is or becomes controlled by WellPoint, Inc.

×