$3.5 Million HIPAA Settlement Highlights Need for Training | Practical Law

$3.5 Million HIPAA Settlement Highlights Need for Training | Practical Law

The Department of Health and Human Services (HHS) has announced a settlement with an insurance holding company involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The company will pay $3.5 million to settle the potential violations and must adopt a corrective action plan that includes training for its workforce members.

$3.5 Million HIPAA Settlement Highlights Need for Training

Practical Law Legal Update w-001-0090 (Approx. 6 pages)

$3.5 Million HIPAA Settlement Highlights Need for Training

by Practical Law Employee Benefits & Executive Compensation
Published on 01 Dec 2015USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a settlement with an insurance holding company involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The company will pay $3.5 million to settle the potential violations and must adopt a corrective action plan that includes training for its workforce members.
On November 30, 2015, HHS issued a resolution agreement and related press release announcing a settlement with an insurance holding company and its subsidiaries for potential violations of the HIPAA privacy and security rules. HHS began its investigation after the company submitted several breach notifications involving unsecured protected health information (PHI) (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Privacy, Security, and Breach Notification Toolkit).
According to HHS, the company's potential violations involved multiple incidents, many of which affected more than 500 individuals (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations). First, two former employees of one of the company's subsidiaries, who had since been employed by a competitor:
  • Improperly accessed restricted areas of the subsidiary's proprietary internet database.
  • Gained access to electronic PHI housed in the database, which included employees' names, contract numbers, home addresses, diagnostic codes, and treatment codes.
The former employees were able to access the database because their access rights had not been terminated after they left the subsidiary's employment.
Second, in separate incidents, vendors of two of the company's subsidiaries disclosed PHI of the subsidiaries' Medicare Advantage beneficiaries on the outside of pamphlets mailed to the beneficiaries. The disclosed PHI included the individuals' names, mailing addresses, and health insurance claim numbers. Disclosure of the PHI to the vendors for mailing purposes occurred without a HIPAA business associate agreement (see Standard Documents, HIPAA Business Associate Agreement and Business Associate Policy).
Third, a former employee of a HIPAA business associate of two of the subsidiaries copied individuals' electronic PHI onto a CD, which he then:
  • Took home for an unknown period of time.
  • Downloaded onto a computer at his new employer.
The electronic PHI contained individuals' enrollment information, including their:
  • Names, contract numbers, and home addresses.
  • Social Security numbers and dates of births.
  • Health insurance claim numbers.
Finally, a subsidiary reported to HHS that its enrollment staff placed the incorrect member ID cards in mailing envelopes, and individuals therefore received member ID cards belonging to other individuals. The disclosed PHI included individuals':
  • Names and ID numbers.
  • Benefit packages and effective dates.
  • Copayment and deductible information, and contract numbers.
In addition, the following incidents affected fewer than 500 individuals:
  • One of the company's subsidiaries disclosed PHI consisting of individuals' health plan identification numbers, which were placed on labels used for a mailing.
  • A mailing to individuals included PHI for other members on the backs of the individuals' letters, which included:
    • individuals' names; and
    • the names of preventive health tests that had been recommended for the individuals.

Corrective Measures

Under its resolution agreement with HHS, the company must:

Practical Impact: HIPAA Training

Perhaps given the scope of the unauthorized access and disclosures involved in this enforcement action (and the severity of the $3.5 million payment), HHS' resolution agreement with the company includes detailed requirements focused on HIPAA training (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Among other steps, the company must:
  • Timely provide HHS with its HIPAA privacy, security, and breach notification training materials.
  • Make required changes to the training materials in light of HHS's review.
  • Provide training, using the HHS-approved training materials, to all workforce members:
    • within 60 days of HHS's approval; and
    • every twelve months after that.
  • Obtain a certification, from each workforce member who must attend the training, that:
    • specifies the date the training was received; and
    • is in either electronic or written form.
  • Review its training annually and make updates as needed to reflect:
    • changes in federal law or HHS guidance; and
    • any issues discovered during audits or review.
Finally, the company must not allow its workforce members to access electronic PHI unless they have signed or provided a training certification.
For HIPAA covered entities in general, the enforcement action highlights the importance of:
  • Compliant business associate agreements with third-party administrators, other service providers, and vendors.
  • Risk analyses that include all IT equipment, applications, and data systems that use electronic PHI.
  • Procedures for terminating access to electronic PHI when employees and other workforce members stop working for an employer.