On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure
On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules.
Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI). WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online.
HHS’s investigation indicated that:
- From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
- WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
- For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
- For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.