Last week, the Health and Human Services slapped Aetna Life Insurance with a fine of $1,000,000 for failing to follow the standards set by the HIPAA rules. Along with the fine, Aetna will also adopt a two-year corrective action plan to address the potential violations that occurred in 2017.
Back in 2017, Aetna’s activities caused the unauthorized disclosure of the protected health information of its plan members on three different occasions.
- The first incident affected 5,002 people. Their PHI was revealed because the servers used by Aetna for providing web services were misconfigured. The mailing error allowed unauthorized users to access plan documents without proper login credentials.
Moreover, the error allowed search engines to index the documents; thus, everyone over the Internet could read them.
- In the second incident, the PHI of 11,887 individuals was revealed because Aetna used transparent-window envelopes. “HIV medication” written below the name and address of the person could be read through the envelope window.
The mailing error affected thousands of HIV patients.
- In the third incident, another mailing error revealed the details of people participating in an atrial fibrillation research study. In this case, the details of the research study were printed over the envelopes. The error affected 1600 people.
The three incidents resulted in the breach of the PHI of more than 18000 people. OCR investigated the three breaches, and concluded that Aetna had failed to protect the confidentiality of the PHI of its plan members.
Failures on behalf of Aetna
The investigators found that Aetna failed to comply with several provisions of the HIPAA Privacy rule, including –
- Performing periodic evaluations of its systems following an environmental and operational change that could affect the security of electronic PHI.
- Putting in place procedures to verify that a person or entity trying to access PHI is the once claimed.
- Limiting PHI disclosure as per the minimum necessary rule.
- Putting in place administrative, technical and physical safeguards to protect the privacy of the PHI.
The corrective action plan for Aetna
Under the CAP, Aetna would revise its policies and procedures, and train its workforce to ensure that everyone follows the standards set by the HIPAA Privacy rule. Specifically, Aetna needs to put in place policies and procedures for addressing the following issues –
- Conducting periodic evaluations in response to environmental and operational changes that affect the security of protected health information.
- Verifying the identity of person(s) or entities seeking access to PHI.
- Limiting disclosing of PHI to the minimum amount necessary for accomplishing an activity.
- Putting in place administrative, technical, and physical safeguards to protect the privacy of the protected health information.
In addition, employees who have access to PHI should receive training on the policies and procedures mentioned above. Aetna needs to keep the records of the training, such as the date of training and the proof of training. Along with the records, the material used for training should also be retained for auditing.
The HHS would track Aetna’s compliance with the corrective action plan for next two years. A breach of the CAP can lead to further penalties by the HHS.
The fine of $1 million isn’t the only penalty that Aetna has paid as a result of the breach. Back in 2018, it paid $17.2 million to plan members for exposing their HIV information. Along with these two settlements, Aetna has paid other fines as well.
- $1.5 million were paid to the New York State’s attorney general
- $1 million to California’s attorney general
- $365,000 to New Jersey
- $175,000 to Washington, D.C. and
- $100,000 to Connecticut
PHI mailing errors by other providers
The Aetna breach isn’t the only one of its type. Two more providers, Amida Care, a health plan based in New York City and CVS Caremark, working for the Ohio HIV Drug Assistance Program also suffered similar breaches in 2017. Both used transparent-window envelopes when mailing letters with sensitive information.
Similar errors by Emblem health led to the disclosure of health insurance claim numbers of 81,000 plan members. The provider sent envelops to its members with their health insurance claim numbers printed on the outside of the envelope. The incident led to a penalty of $575,000 on Emblem by the New York attorney general.
The Ohio Department of mental health (Ohio MHAS) also made a mailing error in 2016; when it mailed postcards instead of sealed envelopes to patients. The breach affected 59,000 patients.
Why is HIPAA training so important
The breach incidents listed above highlight the value of reviewing procedures regularly. Employee training is an important aspect as well. Why? Every case listed above could have been prevented with proper vigilance. For instance, in the case of Emblem and Ohio MHAS, the breach could have been prevented if employees were aware that the information they were disclosing was protected under HIPAA.
Owing to such reasons, HIPAA training becomes extremely important. Training can help employees become sensitive to the value of PHI. All workers, who handle PHI should know about the HIPAA Privacy rule, and why they need to follow it. Moreover, everyone should be able to identify PHI, and how to guard its confidentiality.
Besides this, you’d want to cover the minimum necessary rule, patient authorization, breach notification, and the right to access provision too. There are rules for mailing health information. And, there are exceptions. Your training should cover both.
The training should give employees the basic knowledge about the HIPAA rules, and how their vigilance can protect patients’ PHI.
Other HIPAA settlements in October
Last month, the Office of Civil Rights settled two more cases of HIPAA in which providers violated the Privacy rule. NY Spine Medicine was fined $100,000 and Dignity Health was fined $160,000 for not providing employees timely access to their health records.
Employee training for HIPAA should be considered a top priority. You should aim at training all new employees within 30 days of hiring, and annually thereafter. Relevant training of your staff should happen again whenever the environmental and operational factors change.