{"id":3165,"date":"2020-11-04T07:07:43","date_gmt":"2020-11-04T07:07:43","guid":{"rendered":"https:\/\/www.empowerelearning.com\/blog\/?p=3165"},"modified":"2023-11-08T06:21:23","modified_gmt":"2023-11-08T06:21:23","slug":"why-avoiding-mailing-errors-is-so-important-under-hipaa","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/why-avoiding-mailing-errors-is-so-important-under-hipaa\/","title":{"rendered":"HIPAA Compliance: The Consequences of Mailing Errors and Their Avoidance"},"content":{"rendered":"

Last week, the Health and Human Services slapped Aetna Life Insurance with a fine of $1,000,000 for failing to follow the standards set by the HIPAA rules. Along with the fine, Aetna will also adopt a two-year corrective action plan to address the potential violations that occurred in 2017.<\/span><\/p>\n

Back in 2017, Aetna\u2019s activities caused the unauthorized disclosure of the protected health information of its plan members on <\/span>three different occasions<\/span><\/a>.\u00a0<\/span><\/p>\n

    \n
  1. The first incident affected 5,002 people. Their PHI was revealed because the servers used by Aetna for providing web services were misconfigured. The mailing error allowed unauthorized users to access plan documents without proper login credentials.\u00a0<\/span><\/li>\n<\/ol>\n

    Moreover, the error allowed search engines to index the documents; thus, everyone over the Internet could read them.\u00a0\u00a0\u00a0<\/span><\/p>\n

      \n
    1. In the second incident, the PHI of 11,887 individuals was revealed because Aetna used transparent-window envelopes. \u201cHIV medication\u201d written below the name and address of the person could be read through the envelope window.\u00a0<\/span><\/li>\n<\/ol>\n

      The mailing error affected <\/span>thousands of HIV patients<\/span><\/a>.<\/span><\/p>\n

        \n
      1. In the third incident, another mailing error revealed the details of people participating in an atrial fibrillation research study. In this case, the details of the research study were printed over the envelopes. The error affected 1600 people.<\/span><\/li>\n<\/ol>\n

        The three incidents resulted in the breach of the PHI of more than 18000 people. OCR investigated the three breaches, and concluded that Aetna had failed to protect the confidentiality of the PHI of its plan members.\u00a0<\/span><\/p>\n

        Failures on behalf of Aetna<\/b><\/h2>\n

        The investigators found that Aetna failed to comply with several provisions of the HIPAA Privacy rule, including –\u00a0<\/span><\/p>\n

          \n
        1. Performing periodic evaluations of its systems following an environmental and operational change that could affect the security of electronic PHI.\u00a0<\/span><\/li>\n
        2. Putting in place procedures to verify that a person or entity trying to access PHI is the once claimed.<\/span><\/li>\n
        3. Limiting PHI disclosure as per the minimum necessary rule.<\/span><\/li>\n
        4. Putting in place administrative, technical and physical safeguards to protect the privacy of the PHI.<\/span><\/li>\n<\/ol>\n

          The corrective action plan for Aetna<\/b><\/h2>\n

          Under the CAP, Aetna would revise its policies and procedures, and train its workforce to ensure that everyone follows the <\/span>standards<\/span><\/a> set by the HIPAA Privacy rule. Specifically, Aetna needs to put in place policies and procedures for addressing the following issues \u2013\u00a0<\/span><\/p>\n

            \n
          1. Conducting periodic evaluations in response to environmental and operational changes that affect the security of protected health information.<\/span><\/li>\n
          2. Verifying the identity of person(s) or entities seeking access to PHI.<\/span><\/li>\n
          3. Limiting disclosing of PHI to the minimum amount necessary for accomplishing an activity.<\/span><\/li>\n
          4. Putting in place administrative, technical, and physical safeguards to protect the privacy of the protected health information.\u00a0<\/span><\/li>\n<\/ol>\n

            In addition, employees who have access to PHI should receive training on the policies and procedures mentioned above. Aetna needs to keep the records of the training, such as the date of training and the proof of training. Along with the records, the material used for training should also be retained for auditing.\u00a0\u00a0\u00a0\u00a0<\/span><\/p>\n

            The HHS would track Aetna\u2019s compliance with the corrective action plan for next two years. A breach of the CAP can lead to further penalties by the HHS.\u00a0\u00a0<\/span><\/p>\n

            Other penalties<\/b><\/h2>\n

            The fine of $1 million isn\u2019t the only penalty that Aetna has paid as a result of the breach. Back in 2018, it paid $17.2 million to plan members for exposing their HIV information. Along with these two settlements, Aetna has paid other fines as well.\u00a0<\/span><\/p>\n