WellPoint hit with $1.7 million for Security Weaknesses in Online Application

The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an Internet breach that occurred between 2009 and 2010 affecting over 600,000.  HHS stated in the press release,

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

Data (including names, birth dates, social security numbers and health information) was unsecured in a web-based application database after an upgrade.  The resolution agreement alleges that the Data was disclosed improperly over a five month period.  HHS indicated that,

  • WellPoint failed to implement policies for authorizing access to ePHI;
  • WellPoint failed to perform an "adequate" technical evaluate after a software upgrade affected authentication controls; and
  • WellPoint failed to implement technology to verify (authenticate) access to ePHI by authorized individuals.

Covered Entities affiliated with WellPoint include certain Anthem, Blue Cross and Blue Shield, and UNICARE health plans, among others.  There was no Corrective Action Plan accompanying the resolution agreement, which seems to indicate OCR was happy with the mitigative action taken by WellPoint after the fact. However, the Indiana attorney general's office had filed suit against WellPoint back in 2010 for failing to provide notification as required under state breach laws, and the Connecticut attorney general's office opened an investigation as well. 

For entities planning software and other upgrades and modifications (all you "Meaningful Users", to start), you can retrieve a copy of the news release and resolution agreement to give to and hammer home with your Security Officer and IT Departments here

Guess What? OIG DOES Care about EHRs and Meaningful Use

Today marks the last day for hospitals to return an 18-page, 54 question survey inquiring about their EHR practices, security, coding and other potential EHR fraud and abuse vulnerabilities.  Hospitals using certified EHR technology who received Meaningful Use incentive payments between January 1, 2011 through March 31, 2012 received the survey from the HHS Office of the Inspector General (OIG) last week/early this week and were asked to return it by the end of today. 

The survey is part of the OIG's 148-page FY2013 Work Plan that summarizes OIG's fraud and abuse focus areas and planned reviews and activities for the year. Whether coincidental or not, the survey's timing comes on the heels of three hotly contested letters surrounding EHRs and the CMS Meaningful Use Incentive Programs. 

First came the warning letter issued by Secretary of the Department of Health and Human Services, Kathleen Sebelius, and U.S. Attorney General, Eric Holder, to hospital associations warning them of EHR fraud and abuse through cloning medial records and upcoding.  This was quickly followed by a letter from House Representatives calling for the suspension of the Meaningful Use program, and then a second letter from four Senators requesting a meeting, by no later than today, to discuss Stage 2 of Meaningful Use. 

CMS has explicitly made it clear from the beginning that false claims associated with Meaningful Use will be subject to recoupment of any incentive payments received and may result in further liability. Now, not only will CMS or state Medicaid agencies audit providers to identify payments which were improperly made, but OIG may not be far behind. 

The majority of the survey questions focus on areas that could potentially implicate inappropriate EHR practices, including "copy and paste" functions and policies, diagnoses and procedure coding, physician and nursing progress notes, as well as security practices, such as user authorization and access controls, third-party accesses to EHRs and patient EHR access.  However, it is clear from OIG's Work Plan that it is carefully examining both Meaningful Use payments received by providers and CMS safeguards in place to identify erroneous payments. Likewise, the Work Plan states OIG plans on reviewing OCR oversight activities of HIPAA and HITECH. 

The American Hospital Association is asking all hospitals to copy it on their answers by email at oigsurvey@aha.org. 

Feb 29th is Last Day to Report Breaches of <500 to HHS!

For those that have been logging their "small" Breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS' Breach reporting website.  While covered entities may opt to report each small Breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small Breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year. 

A couple of important points to note about reporting small breaches to HHS:  

First, the HHS-reporting "buck" stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule the BA's only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS. 

Goldilocks.pngSecond, follow a 'GOLDILOCKS rule'  of 'Not too much, not too little -- just right'. Covered entities must report all relevant information requested on HHS' online reporting form. However, there are several fields that ask for a typed response.  For example, HHS asks for a "brief description of the breach" including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe "other actions taken" in response to the Breach. But, while a covered entity must report what it is required to report by law, offering too much infomation (including impermissibly disclosing patients' PHI, among other things) could land the covered entity in hot water.

Finally, you better have remembered to collect ALL the required information on your Breach Log!  A covered entity that is planning to report small Breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: it's a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along.  Among the information that covered entities should be collecting about each "small" breach includes:

  • Date of the Breach? 
  • Date the Breach was Discovered?
  • Approximate number of individuals affected?
  • What "type" of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
  • Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
  • What type of information was involved? (select : demographic info, financial info, clinical info, other) 
  • What safeguards were in place prior to the Breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics) 
  • Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any "unreasonable delay" in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS).
  • Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other) 
  • Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all Breaches (if there is a positive "Harm" determination) to HHS. HHS specifically points out on its website that "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect."

    For Breach Notification training & education, click our Workshops button.

    The Spirit of Holiday Giving, er, Penalties...

    The California Department of Public Health (CDPH) will be collecting a whopping $667,000 in administrative fines and penalties from six hospitals charged with privacy violations.  The CDPH imposed penalties ranging from $5,000 to $250,000 on the hospitals under new privacy and confidentiality regulations enacted in 2008 aimed at cracking down on widespread patient privacy violations.  Under the new legislation, penalties may be assessed for violations up to $25,00 per patient whose information was accessed, used or disclosed improperly and up to $17,500 for subsequent violations. 

    By far the most astounding of violations was Kern Medical Center which was hit with a $250,000 penalty after the theft of laboratory reports from storage lockers used for distribution of the reports.  A staff member had placed daily laboratory reports in storage lockers that were no longer on the premises of the hospital but outside and accessible to the general public.  He was aware that the locks were not functioning and that the locker door was broken, a condition that the storage locker had been in for several months.  Although the Privacy Officer alleged that keeping the reports in the outside lockers was not a hospital permitted practice, it appeared to have been occurring for some time.  Another hospital was assessed a $225,000 penalty for failing to prevent unauthorized access and use of patient information by a hospital employee who had memorized the information while purging older hospital records in order to help other individuals open fake Verizon accounts.

    The imposition of these fines and penalties impress even out-of-state hospitals with the importance of securing both paper and electronic health information.  From safeguarding computer printouts such as laboratory reports to preventing unauthorized access to or uses of electronic health information, hospitals must be vigilant and proactive in safeguarding patient information.  Not only must hospitals monitor access to and uses of patient information, but they must also continue to educate and re-educate staff on confidentiality and security policies, conduct periodic audits and physical security sweeps, and strictly enforce all policies by imposing sanctions where appropriate.

    The full CDPH press release may be found at http://www.cdph.ca.gov/Pages/NR10-92.aspx