The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has reached a $1,000,000 settlement with health insurer Aetna. Aetna agreed to pay this fine and to adopt a two-year corrective action plan (CAP), as a result of its having committed three HIPAA violations in a six-month period. This settlement is the 14th that OCR has entered into in 2020. More settlements have been entered into in 2020 than in any other year. 2020 now holds the dubious honor of “Most fines ever levied in the history of HIPAA enforcement,” giving a new twist to the phrase “Records were made to be broken.”
What Were Aetna’s 3 HIPAA Violations That Led to the OCR Settlement?
The Aetna health plan network stretches across the US, and across the globe, with a roster of over 1.2 million healthcare professionals spread out over 5,000 hospitals. In June of 2017, Aetna submitted a breach report to OCR, informing OCR that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials. The documents were subsequently indexed by various internet search engines. Aetna reported that 5,002 individuals were affected by this breach, and the protected health information (PHI) disclosed included names, insurance identification numbers, claim payment amounts, procedure service codes, and dates of service.
That figure might sound small for a company of Aetna’s size, but there is more to the story.
A mere two months later, in August of 2017, Aetna submitted yet another breach report to OCR, describing a new breach of unsecured PHI. Aetna informed OCR that in late July, members were mailed benefit notices using window envelopes, through which the phrase “HIV medication” could be seen below the member’s name and address. This breach, Aetna informed OCR, affected about 12,000 people.
Leaving no stone unturned, in November of 2017, Aetna submitted a third breach report to OCR, detailing the third of its three HIPAA violations. In this report, Aetna notified OCR that in late September, a research study mailing sent to plan members contained the name and logo of the atrial fibrillation (irregular heartbeat) study in which the members were participating, on the envelope. Aetna reported that 1,600 individuals were affected by this disclosure.
OCR investigated all three incidents. OCR first found, per the HIPAA Privacy Rule, that all three disclosures caused by the respective breaches were unauthorized (meaning Aetna had violated the Privacy Rule three times). In addition, OCR found that, in each instance, Aetna violated the Privacy Rule by failing to limit PHI disclosures to the minimum necessary to accomplish the purpose of its use or disclosure. OCR also found that Aetna failed to comply with the HIPAA Security Rule by failing to:
- Perform periodic technical and nontechnical evaluations of operational changes affecting the security of electronic protected health information (ePHI);
- Implement procedures to verify the identity of persons or entities seeking access to ePHI;
- Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
Noted OCR Director Roger Severino, “When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.”
In addition to the monetary settlement, Aetna will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found here.
