Monday, July 15, 2013

Insurer fined pennies a day per person for HIPPA violation

What do you think a fair amount should be for exposure of ePHI (diagnosis, procedures, social security, date of birth, etc) information per person per day? Last week, the U.S. Department of Health and Human Services calculated that out to be two cents based on the recent WellPoint settlement.  The $1.7 million settlement exposed 612,402 people's personal health and identification information

Here is a review of what information is considered PHI from HHS.gov: Under the HIPAA Privacy Rule, protected health information (PHI) refers to individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person

 Specifically, this information can relate to:

  • The individual's past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or,
  • The past, present, or future payment for the provision of health care to the individual.
Common identifiers of health information include names, social security numbers, addresses, and birth dates.

This is what was cited specifically in the WellPoint Settlement agreement:

(1) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the Security Rule.

(2) WellPoint did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication guards for its web-based application met the requirements of the Security Rule.

(3) Beginning on October 23, 2009, until March 7, 2010, WellPoint did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed.

(4) Beginning on October 23, 2009, until March 7, 2010, WellPoint impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.

See full resolution here.

Now that we know what the government thinks the value of your sensitive information should be, I ask what you think is a fair amount exposure of ePHI information per person per day?

No comments:

Post a Comment