Three investigations over six months uncovered huge gaps in Aetna Life Insurance Company’s HIPAA compliance. Aetna submitted three separate breach reports to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in 2017 – in June, August and November. Each time, OCR investigated and found failings.
Aetna a Giant in Healthcare but Found Lacking in Compliance
Failing HIPAA compliance today means having to face the music on multiple fronts: investigations by OCR at the federal level, and lawsuits from individuals and State regulators because lawsuits are on the rise.
Aetna, which is owned by CVS Health, is one of the largest managed health care companies in the U.S., with over 47,000 employees. Before the OCR settlements were announced, Aetna had already settled a class-action lawsuit filed by breach victims in January 2018 for $17 million, and a case brought by the state of California for $935,000 in January 2019 and other state attorneys general for more than $600,000 in October 2018. All the settlements total nearly $20 million.
The following summarizes what OCR found.
Strike 1 – Aetna discovered that two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines. Over 5,000 individuals were affected by this event which compromised protected health information, such as names, insurance ID numbers, claim payment amounts, service codes, and dates of service.
Strike 2 – Aetna mailed benefit notices using window envelopes and the words “HIV medication” were visible through the envelope’s window below the member’s name and address. This affected about 11,887 plan members.
Strike 3 – a research study mailing sent to Aetna plan members displayed on the envelope exterior the name and logo of the research study – atrial fibrillation – in which they were participating. About 1,600 plan members were affected.
How Aetna Failed HIPAA
In the Resolution Agreement, OCR describes the specific failings of Aetna’s HIPAA compliance, citing the HIPAA Privacy and Security Rules.
- Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information (PHI).
- Aetna failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed.
- Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches.
- Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure.
- Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
In addition to the settlement payment, Aetna agreed to a two year Corrective Action Plan.
HIPAA Compliance is Less Expensive than Noncompliance
Large and small organizations do not need to fear HIPAA or worry about failing a compliance test with OCR or in court.
The HIPAA E-Tool® has policies, forms, step-by-step guidance and answers to all HIPAA questions with easy to reach experts for personal help. HIPAA Risk Analysis and Risk Management is included, helping you track what needs to be done, and when, for complete compliance.
Get prepared with The HIPAA E-Tool® on your side and avoid paying big bucks for noncompliance.