On March 13, 2012, HHS announced that Blue Cross Blue Shield of Tennessee (“BCBST”) has agreed to pay it $1.5 million to settle potential HIPAA violations arising from the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee. This settlement is significant because it is OCR’s first enforcement action arising out of a covered entity’s self-reported breach obligation to HHS under HITECH’s breach notification requirements.
As a result of its investigation, OCR determined that BCBST’s stolen hard drives contained PHI of over one million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR further found that BCBST failed to implement appropriate safeguards to adequately protect its patients’ PHI by not performing a risk assessment in response to operational changes. OCR’s investigation also found that BCBST failed to implement appropriate physical safeguards by not having adequate facility access controls. As a result, OCR concluded that BCBST’s inaction violated the HIPAA Security Rule.
In addition to its $1.5 million settlement payment, BCBST has entered into a corrective action plan with HHS in which BCBST agreed to the following:
- To review, revise and maintain its Privacy and Security policies and procedures.
- To conduct regular and robust trainings of all BCBST employees; and
- To perform regular monitor reviews to ensure BCBST compliance with corrective action plan.
Leon Rodriguez, Director of OCR, stated that “this settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”
Thus, following this decision, covered entities and their business associates should be guided by the BCBST settlement terms and, if they have not done so recently, (1) review, revise and update their current HIPAA policies and procedures including the completion of a current or updated risk assessment, (2) regularly train their employees on Health information privacy issues, and (3) monitor employee compliance with the regulations under HIPAA/HITECH.