HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Blue Cross Blue Shield to Pay HHS $1.5M for HIPAA Breach

The Office for Civil Rights has made its first enforcement action stemming from the HITECH Breach Notification Rule and has fined Blue Cross Blue Shield of Tennessee (BCBST) for violating the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (1996). BCBST has now negotiated a settlement with the HHS and will pay $1.5 million for the security breach for its potential HIPAA violations.

The data breach was one of the largest ever reported, involving the PHI of over 1 million individuals. Substantial patient information was exposed including Social Security numbers, dates of birth, health plan numbers, contact information and medical diagnosis codes. The data was stored on 57 unencrypted hard drives which were stolen from its facilities in Tennessee.

Under the HIPAA Security Rule, healthcare organizations must ensure that the appropriate physical, technical and administrative safeguards are put in place to protect ePHI of patients. When the OCR conducted its investigation it determined that BCBST had not taken sufficient precautions to protect confidential data and had not fulfilled its obligations under HIPAA. Physical safeguards to prevent access to the hardware were inadequate with poor access controls and a thorough security evaluation had not been performed.

According to OCR Director, Leon Rodriguez, “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” He went on to say “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In cases of HIPAA non-compliance and data breaches the OCR demands that a comprehensive action plan is put in place to ensure that all potential security threats are identified and eliminated. While BCBST had taken action to comply with HIPAA regulations prior to the breach, there were a number of gaps in its compliance program. Had these gaps not existed the data breach could have been avoided, even if the theft of company property could not.

As part of the corrective action plan, BCBST has agreed to review its policies and procedures and revise them to incorporate additional privacy and security controls. A program of staff training will also be conducted to ensure all employees are aware of their responsibilities under HIPAA.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.