encrypted dataAfter roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.

The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.

After performing its own investigation, OCR found that the oncology provider had not conducted a thorough risk assessment and had failed to put in place security measures sufficient to protect patient information. As part of the settlement, 21CO will pay $2.3 million and enter into a two-year corrective action plan (CAP). The CAP requires 21CO to conduct a comprehensive risk assessment, implement robust policies and procedures to protect patient information, and take other steps to ensure ongoing HIPAA compliance. The settlement underscores the importance of conducting a risk assessment that identifies and addresses security gaps and vulnerabilities.

On January 17, Aetna agreed to pay $17 million to settle a class action lawsuit brought against the insurer for a privacy breach affecting thousands of patients who took medication to treat or prevent HIV. In July of last year, Aetna mailed customer notices in envelopes with transparent windows. The transparent windows potentially allowed third parties to see that the recipient was using HIV medication. The total number of patients impacted is said to be approximately 12,000, which would make this the largest HIV privacy breach on record. The settlement also requires Aetna to implement changes to its privacy policies to prevent such a breach from happening again.