Aetna also violated the Privacy Rule:
- Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches (notably, the breaches revealed patient HIV and research study participant status).
- Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure.
- Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
For these three Privacy Rule breaches, which involve noncompliant behavior that ran the gamut, Aetna was fined $1,000,000.00.