According to a press release by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), the managed care company WellPoint Inc. may not have adequately implemented policies and procedures for authorizing access to its on-line application database or performed an appropriate technical evaluation when doing a software upgrade to its information systems. Additionally, OCR alleged that Wellpoint did not have appropriate technical safeguards in place to verify the person or entity seeking access to electronic protected health information (PHI) maintained in its application database, leaving the PHI of over 600,000 accessible via the database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

To settle these allegations, Wellpoint agreed to pay HHS $1.7 million.

OCR cautions:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

As software upgrades often involve the assistance of outside third parties – business associates – in addition to compliant business associate agreements, covered entities may want to be more specific in the scope of work described in their services agreements about the privacy and security safeguards that will apply in the process of such conversions or upgrades. OCR notes that beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates.