Health Information Compliance Alert
Guard Against IT-Sparked HIPAA Breaches
PDF
HHS OCR puts teeth in its fines for HIPAA violations.
Don’t let a computer conversion lead to major fines for violating patient privacy. That’s what Indianapolis-based managed care company WellPoint Inc. has learned the hard way. Wellpoint has agreed to pay $1.7 million to settle HIPAA charges, the Department of Health and Human Services says in a release.
The HHS Office for Civil Rights (OCR) started an investigation after WellPoint self-reported that “security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet,” HHS says in the release. That data, which was accessible for more than four months, included names, dates of birth, addresses, Social Security numbers, telephone numbers, and health information.
Mind Your Technical Safeguards
The managed care company “did not implement appropriate administrative and technical safeguards” when it made a systems upgrade to an online application database. Namely, it didn’t “adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; [or] have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database,” HHS says.
Warning: “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” HHS stresses.
Don’t think you can get off the hook for a similar breach by pointing the finger at your software vendor. “Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information — especially information that is accessible over the Internet,” the agency says.
However, vendors will have to shoulder more blame for HIPAA breaches when the rules change this fall. “Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors,” HHS notes.
Health Information Compliance Alert
- HIPAA Compliance:
How To Properly Handle Disclosure-Restriction Requests
What’s the true impact of this new patient right? For a decade now, patients have [...] - Answer 6 Questions To Follow The PHI Flow
Comply with disclosure-restriction requests by reviewing internal processes. Just because you flag a service that [...] - Patient Privacy:
Get Ready For HIPAA Audits Beginning in October
Make sure you perform annual risk assessments if you receive meaningful use funding. The Office [...] - PQRS:
Secure Your Bonus Pay With Appropriate Reporting
Tip: The TIN reporting entity nets the incentive pay. It’s time to evaluate your Physician [...] - HIPAA Breaches:
Guard Against IT-Sparked HIPAA Breaches
HHS OCR puts teeth in its fines for HIPAA violations. Don’t let a computer conversion [...] - Documentation Strategies:
Ask The Right Document Management System Questions
Look for ease of setup and integration in your paperless system. Most facilities are going [...] - Clip and Save:
Review the 8 Pros of Practice Management Software
These perks may outweigh the high cost of implementing an MPM system. There’s no denying [...] - Industry Notes
Say Goodbye To HHABN, Hello To HHCCN Home health providers can hold off on ordering [...]