Action Comes After $17.2 Million Lawsuit Settlement
After settling a breach lawsuit for $17.2 million, Aetna has signed another large settlement related to privacy breaches involving mailings to its health plan members.
See Also: How to Scale Your Vendor Risk Management Program
The settlement with the New York state attorney general’s office is related to two postal mailings last year, including a July 2017 mailing to plan members that contained HIV drug information visible through envelope windows and a September 2017 mailing of materials related to a heart research study.
In a Tuesday statement, N.Y. Attorney General Eric Schneiderman says Aetna has agreed to pay $1.15 million and implement corrective actions related to the insurer’s privacy protections of personal health information and personally identifiable information in mailings.
The attorney general’s office notes that “Aetna revealed the HIV status of approximately 2,460 New York members through a mailing in July 2017 in which the envelopes’ oversize transparent address window revealed text confirming the members’ HIV status.”
In the breach involving the heart study, 163 New York members received a mailing with a logo for a research study which could have been interpreted as indicating a diagnosis of atrial fibrillation.
Last week, Aetna signed a $17.2 million settlement in a class action lawsuit filed against the company last year involving that same HIV-related mailing, which affected a total of nearly 12,000 plan members across several states (see $17.2 Million Settlement for Breach Case Involving HIV Info.
More Enforcement Actions to Come?
It’s possible that the Aetna mailing breaches will also catch the enforcement eye of regulators in other states or at the HHS’ Office for Civil Rights.
“Other states are free to seek remedies for harm to their own remedies,” says healthcare attorney Stephen Wu of Silicon Valley Law Group. “It will depend on their enforcement priorities in light of their resources.”
The New York settlement agreement provides an accounting of “a disturbing number of incidents” in which the health information of plan members or participants in one or more research studies was disclosed through inattention and lack of controls to ensure that confidential information was not displayed when communications were mailed, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
“I believe it is likely that OCR and state attorneys general will take a careful look at the process and procedures of the organizations involved in these incidents,” he says.
“An inquiry would look into what policies and procedure were in place to handle the production and mailing of documents containing sensitive personal information including the apparent lack of business associate agreements required under the HIPAA Privacy Rule, were the policies and procedures followed in the production and mailing of these letters, and were the individuals affected by the unauthorized disclosures provided the notifications required by federal and state law.”
The Aetna settlements are powerful reminders about the need to safeguard patient data, regardless of whether it’s in an electronic form or on paper, such as mailings.
“We have known about this problem for over a decade from earlier misdirected emails,” Wu says. “There should be close supervision of mailing vendors. CEs and BAs should view samples of what they plan to send out to catch any last minute inadvertent disclosures. But in the planning process, they should have taken the time to provide instructions and oversight.”
As part of its settlement with New York, Aetna has agreed to modify its print and mailing practices to prevent “unwanted disclosures,” according the settlement documents.
Those changes include:
- Requiring that each business area and its privacy manager approve whether including PHI or personally identifiable information is absolutely necessary in any new or changed printed member mailing. This procedure also requires approval of anything printed on the envelope itself.
- Requiring that all print projects be performed through Aetna’s print procurement team. It also prohibits business areas from contracting directly with third-party print vendors.
—David Holtzman, CynergisTek
It’s a best practice to develop a quality control checklist to help ensure that the development of the document can be produced in way that fits into the finished mailing package – for example a window envelope, he notes. Those best practices should include “checks to ensure the output allows for any PHI to be kept confidential, and doing a final quality assurance check to physically inspect the document is stuffed into its envelope to make sure that only the recipient’s name and address is showing,” he says.
Even when there are third-party vendors involved with mailings – as was the case in the Aetna incidents – covered entities need to provide oversight to prevent breaches, Holtzman says.
“Good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy to assess the potential for compromise of data when designing the production and mailing of PHI,” he says.
“Many organizations take special precautions when producing and mailing documents that contain sensitive personal information like a person’s HIV status,” he notes. “For example, some organizations will produce a cover page containing only the addressing information that faces through the window of the envelope. Other organizations will not use window envelopes in the mailing of correspondence that includes sensitive PHI.”
In a statement provided to Information Security Media Group about the New York settlement, Aetna says: “Through our outreach efforts, immediate relief program and recent settlements we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”