[导读:近日,美国安泰人寿保险公司(Aetna)向美国卫生与公众服务部(HHS)下属的民权办公室支付100万美金并采取整改措施,以补救其此前违反《健康保险可携性和责任法案(HIPAA)》导致的损害后果。根据HHS的通讯稿,安泰曾三次违反HIPAA的相关义务:2017年4月,安泰发现其网站某页面的文件无需登录即可访问,造成超过5000人的信息泄露;2017年8月,安泰用窗信封给用户寄送受益通知,"HIV Medication"的字样出现在了信封窗中,导致逾1万人的信息泄露;2017年11月,安泰寄送的研究报告信封上印有收件人所参加的房颤研究项目的名称及标志,导致1600人的信息泄露。(本文源自HHS官网。导读系本公众号原创,转载请注明文字出自本公众号。)]
Aetna Life Insurance Company and the affiliatedcovered entity (Aetna) has agreed to pay $1,000,000 to the Office for CivilRights (OCR) at the U.S. Department of Health and Human Services (HHS) and toadopt a corrective action plan to settle potential violations of the HealthInsurance Portability and Accountability Act (HIPAA) Privacy and SecurityRules. Aetna is an American managed health care company that sells traditionaland consumer-directed health insurance and related services.
In June 2017, Aetna submitted a breach report toOCR stating that on April 27, 2017, Aetna discovered that two web services usedto display plan-related documents to health plan members allowed documents tobe accessible without login credentials and subsequently indexed by variousinternet search engines. Aetna reported that 5,002 individuals were affected bythis breach, and the protected health information (PHI) disclosed includednames, insurance identification numbers, claim payment amounts, proceduresservice codes, and dates of service.
In August 2017, Aetna submitted a breach report toOCR stating that on July 28, 2017, benefit notices were mailed to members usingwindow envelopes. Shortly after the mailing, Aetna received complaints frommembers that the words "HIV medication" could be seen through theenvelope"s window below the member"s name and address. Aetna reported that11,887 individuals were affected by this impermissible disclosure.
In November 2017, Aetna submitted a breach reportto OCR stating that on September 25, 2017, a research study mailing sent toAetna plan members contained the name and logo of the atrial fibrillation(irregular heartbeat) research study in which they were participating, on theenvelope. Aetna reported that 1,600 individuals were affected by thisimpermissible disclosure.
OCR"s investigation revealed that in addition tothe impermissible disclosures, Aetna failed to perform periodic technical andnontechnical evaluations of operational changes affecting the security of theirelectronic PHI (ePHI); implement procedures to verify the identity of personsor entities seeking access to ePHI; limit PHI disclosures to the minimumnecessary to accomplish the purpose of the use or disclosure; and have in placeappropriate administrative, technical, and physical safeguards to protect theprivacy of PHI.
"When individuals contract for healthinsurance, they expect plans to keep their medical information safe from publicexposure. Unfortunately, Aetna"s failure to follow the HIPAA Rules resulted inthree breaches in a six-month period, leading to this million dollarsettlement," said OCR Director Roger Severino.
In addition to the monetary settlement, Aetna willundertake a corrective action plan that includes two years of monitoring. Theresolution agreement and corrective action plan may be found at:
https://www.hhs.gov/sites/default/files/aetna-ra-cap.pdf -PDF
声明:本文来自个人信息与数据保护实务评论,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。