As announced in HHS press release last week, the managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
This case sends an important message to HIPAA-covered entities (as well their associates and subcontractors) to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.
The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint.
OCR’s investigation indicated that WellPoint had failed:
- to adequately implement policies and procedures for authorizing access to the on-line application database
- to perform an appropriate technical evaluation in response to a software upgrade to its information systems
- to have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
WellPoint must now pay a $1.7 million fine to HHS.
The investigation indicated that as a result of said neglect, during the period of October 23, 2009, through March 7, 2010, WellPoint disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/wellpoint-agreement.html
Is your medical practice a target for OCR audit?
I am sure you are aware that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors. But did you know that the OCR recently audited 20 healthcare providers to evaluate compliance with HIPAA privacy and security rules, finding numerous violations? Of those violations, 65% were security related and 26% were privacy related.
Now is the time to conduct a security risk analysis, to implement security updates and to correct any deficiencies identified with risk management process.
- Does your Practice lack a HIPAA compliance plan?
- If you have a plan, is it outdated?
- Do you rely on your computer network to run your Practice?
- Are you concerned with the security of your EMR/EPHI data?
- Do you want to learn how to get fully compliant and to avoid penalties?
If you answered YES to at least one question, powersolution can help.
Our team of highly skilled, reliable IT professionals has been working with New Jersey area Medical Practices and Healthcare Providers, assisting with HIPAA and HITECH compliance efforts through the power of our Managed IT Services program.
Our IT Solutions for Doctors Office: Overview
- Managed IT Support Services – 24/7/365 remote monitoring
- IT Service Plans – onsite, remote and virtual computer network tech support
- Hardware and Software management and upgrades
- Virus, spyware and security protection for your computers and servers
- Complete support and solutions for your practice
- HIPAA/HITECH Compliance and Tech Support services
Give us a call now at (855) 551-7760 – your Computer Network will thank you!
If you are located in New Jersey or NJ NY area and are looking for Managed IT services and Computer Support for your Medical Practice – look no further: we are here to provide your medical practice with reliable IT Support.