Aetna has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA)
April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and subsequently indexed by various internet search engines. Aetna reported that 5,002 individuals were affected by this breach, and the protected health information (PHI) disclosed included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.
July 28, 2017, benefit notices were mailed to members using window envelopes. Shortly after the mailing, Aetna received complaints from members that the words "HIV medication" could be seen through the envelope's window below the member's name and address. Aetna reported that 11,887 individuals were affected by this impermissible disclosure.
September 25, 2017, a research study mailing sent to Aetna plan members contained the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating, on the envelope. Aetna reported that 1,600 individuals were affected by this impermissible disclosure.
OCR's investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
What does this mean for you? We will look at all three breaches and see what you can to do protect yourself.
The Breach of April 27, 2017
If you have a website or a web portal that can collect or display patient information and that website is not configured properly you can be at risk of a HIPAA breach. Even if the website is run by a third party, it is your patient information and it is ultimately you who will be responsible for the breach.
What to do?
Look at the contracts you have with your technology providers, make sure that you have Business Associate Agreements (BAA) in place and make sure the BAA’s include terms that the Business Associate will be responsible for all costs, fines, and settlements should there be a breach due to a flaw in the security of their technology. Without these agreements in place it will be you that will have all the costs associated with the breach.
The Breach of July 28, 2017
In this case the problem was with the physical mail. Window envelopes allow the contents of the letter to be seen through the envelope. In this case the contents clearly indicated that the patient had HIV. Making this information public is clearly a major issue. The knee jerk reaction would be to not use window envelopes, but this could result in significant workload to make sure that the right piece of paper is going to the right person. Many HIPAA breaches are the result of placing the wrong piece of paper in the wrong envelope and then mailing it to the wrong person. Window envelopes help to prevent that type of breach. So the best way to prevent this type of breach is to make sure that any letter you send out has all of the patient information below the top 1/3 of the page. The way paper is folded into a business envelope with a window, only information on the top 1/3 of the page can be viewed through the window no matter how the envelope or paper may be shifted inside the envelope.
Next time you do a mailing take a couple of envelopes fold them and view the visible page before putting it into an envelope. If there is any visible personal information beyond the information needed to mail the letter, then you need to re-format the letter before having the letter sent.
If you are using a third part service who sends out letters, invoices, or any other documents on your behalf then once again you need to make sure you have a BAA and the BAA must clearly state that they are responsible for all expenses related to any HIPAA Breach caused by any action or technology of theirs.
The Breach of September 25, 2017
Envelopes were printed that had information on a study that ONLY went to patients in that study. That identified the patients as having Atrial Fibrillation. That is why this situation was a HIPAA breach.
This one is much more straightforward – never put any information that could be considered patient information on the outside of the envelope. In this case the information related to treatment the patient is having.
Please join TLD Systems for a free webinar on Monday November 9 at 7 PM Eastern for a free webinar on Understanding Business Associate Agreements. To register for this event CLICK HERE
Read Comments