So You Thought HIPAA Wasn't Such a Big Deal?!?
March 14th, 2012
Thanks to Attorney Erin Brisbay McMahon, a partner with the law firm of Wyatt, Tarrant & Combs with offices in Memphis, for sharing the information below:
Some of you may remember that several years ago, BCBS of Tennessee suffered a theft of hard drives with PHI on them from a mall in Tennessee. That was on a Friday night; an alarm went off at BCBS alerting that something was wrong at the mall but it was considered a low-risk alarm so no one checked on it until the Monday following. Despite BCBS notifying patients and providing credit monitoring and hiring Kroll Solutions to beef up security (which itself cost millions), it settled potential HIPAA violations with HHS for $1.5 million.
FOR IMMEDIATE RELEASE
March 13, 2012
Contact: HHS Press Office
HHS settles HIPAA case with BCBST for $1.5 million
First enforcement action resulting from HITECH Breach Notification Rule
Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.
The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”
In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.
HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.
Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/civilrights/activities/agreements/index.html
Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
Erin Brisbay McMahon Wyatt, Tarrant & Combs, LLP 250 West Main Street, Suite 1600 Lexington, KY 40507-1746 859.288.7452 (direct dial) 859.259.0649 (fax) emcmahon [at] wyattfirm [dot] com CIRCULAR 230 DISCLAIMER: THE FOREGOING CORRESPONDENCE WAS NOT WRITTEN OR INTENDED TO BE RELIED UPON, NOR CAN IT BE USED BY, ANY TAXPAYER FOR THE PURPOSE OF AVOIDING FEDERAL TAX PENALTIES. THIS DISCLAIMER IS MADE TO COMPLY WITH THE REQUIREMENTS OF CIRCULAR 230 WHICH GOVERNS PRACTICE BEFORE THE INTERNAL REVENUE SERVICE.
There are no comments yet.