In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. Two of the fines issued were hybrids – based on violations of the HIPAA Privacy and Security Rules in equal measure. These HIPAA fines are discussed below.
Aetna and Violations of the HIPAA Privacy and Security Rules
The first hybrid fine was issued to Aetna. OCR found several Security Rule violations. OCR found that:
- Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information.
- Aetna failed to implement procedures (access controls) to verify that a person or entity seeking access to PHI is the one claimed.
Aetna also violated the Privacy Rule:
- Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches (notably, the breaches revealed patient HIV and research study participant status).Â
- Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure.
- Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.Â
For these three Privacy Rule breaches, which involve noncompliant behavior that ran the gamut, Aetna was fined $1,000,000.00.
New Haven Health Department and Violations of the HIPAA Privacy and Security Rules
The second hybrid fine was imposed on the city of New Haven, Connecticut, in the amount of $202,400. The lesson of this fine: when an employee is terminated, their network access must be terminated with them. In January 2017, the New Haven Health Department filed a breach report with OCR stating that a former employee may have accessed a file on a New Haven computer containing the protected health information (PHI) of 498 individuals.
OCR’s investigation revealed that, on July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active username and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results onto a USB drive.
The former employee, not leaving well enough alone, also shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated.
OCR’s investigation determined that New Haven failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures. Another mess that could have been averted with employee education, training, and administrative, technical, and physical safeguards.