WellPoint, Inc. ("WellPoint"), a health benefits company, recently entered into a Resolution Agreement with the Department of Health and Human Services ("HHS"), in which WellPoint agreed to pay HHS $1.7 million to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy and Security Rules.

In June 2010, WellPoint reported to HHS a breach of its unsecured protected health information, which resulted from WellPoint’s failure to implement appropriate administrative and technical safeguards before making changes to its information systems. Following WellPoint’s reported breach, the HHS Office for Civil Rights ("OCR") conducted an investigation and found that from October 23, 2009 to March 7, 2010, WellPoint impermissibly disclosed the electronic protected health information ("ePHI"), including names, dates of birth, addresses, Social Security Numbers, telephone numbers, and health information, of approximately 612,000 individuals. Specifically, the OCR found that WellPoint did not:

  • Adequately implement policies and procedures for authorizing access to the online database containing ePHI;
  • Perform an appropriate technical evaluation in response to a software upgrade to its information systems; and
  • Have technical safeguards in place to verify the person or entity seeking access to ePHI maintained in its online database.

In a July press release, HHS stated that this case "sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet." Covered entities must take steps to protect ePHI before using Web-based applications or portals.

HHS cautions that "reasonable and appropriate technical, administrative, and physical safeguards" must be in place when system upgrades are performed by covered entities or their business associates. HHS also notes that beginning September 23, 2013, "liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information." 2

NOTE: This information in this News Alert is for informational purposes only, does not guarantee compliance with federal or state laws, and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You should not act upon information in this News Alert without first seeking the advice of counsel. Obermayer attorneys are available to answer your questions and help to ensure that your company remains compliant with HIPAA.

About the Authors:

Lawrence J. Tabas, Esq. is a partner at Obermayer Rebmann Maxwell & Hippel LLP and Chair of the Firm’s Health Care Department. He can be reached via email at lawrence.tabas@obermayer.com.

Jenna K. Shedd, Esq. is an associate at Obermayer Rebmann Maxwell & Hippel LLP and a member of the Firm’s Health Care Department. She can be reached via email at jenna.shedd@obermayer.com.