Thought we’d be able to skate through the rest of October without another HIPAA fine? Not so fast. The Office for Civil Rights (OCR) just announced another $1,000,000 settlement to add to October’s tab, settling with Aetna on not one, not two, but three separate HIPAA violations. 

Aetna Life Insurance Company, as well as the affiliated covered entity (Aetna), agreed to a million-dollar payout in addition to a two year corrective action plan as a result of multiple HIPAA incidents experienced back in 2017. 

The first violation occurred in April 2017, after Aetna discovered that two web services used to display plan-related documents to their members did not have the necessary login protections and were accessible through regular internet search engines. Aetna’s report noted that the incident exposed the protected health information (PHI) of over 5,000 individuals. 

Violation number two came just a few months later in July, when Aetna received complaints that sensitive health information was made visible through benefit notice mailers. The 11,887 affected individuals’ medication information could be seen through the window of the envelope below the member’s name and address, clearly exposing their PHI to anyone who happened across the mailings. 

Last but not least, the third violation occurred in September 2017, after a similar mailer was sent to 1,600 individuals displaying the name and logo of a research study on atrial fibrillation (irregular heartbeat) that some members were participating in. Because the logo on the envelope clearly conveyed the type of study the recipients were a part of, it was automatically an impermissible disclosure of PHI.

Three HIPAA violations in one year is already enough to get you on the OCR’s bad side, but after further investigation, they found other aspects of Aetna’s HIPAA compliance program missing, including: 

• Proper evaluation of the security of patient data when operational changes occured
• Procedures in place to verify the identity of an individual seeking access to PHI
• Limiting PHI access and disclosures to only the minimum necessary information  
• And finally, lacking some of the administrative, technical, and physical safeguards necessary to protect the privacy of PHI 

2017 was certainly a bad year for Aetna, and 2020 has now been a very bad year for all covered entities – practices, insurance companies and business associates alike – without a complete HIPAA compliance program in place. This latest settlement brings this year’s total to a whopping $13,186,500 – almost a million dollars over last year’s total fines, with 2 months still left on the clock in 2020. 

We know you’re sick of hearing us harp on the importance of being compliant before an incident happens (seriously, we’re turning into our own mothers) but in the OCR Director, Roger Severino’s own words, “Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.”