Share this article on:
The Office for Civil Rights has made its first enforcement action stemming from the HITECH Breach Notification Rule and has fined Blue Cross Blue Shield of Tennessee (BCBST) for violating the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (1996). BCBST has now negotiated a settlement with the HHS and will pay $1.5 million for the security breach for its potential HIPAA violations.
The data breach was one of the largest ever reported, involving the PHI of over 1 million individuals. Substantial patient information was exposed including Social Security numbers, dates of birth, health plan numbers, contact information and medical diagnosis codes. The data was stored on 57 unencrypted hard drives which were stolen from its facilities in Tennessee.
Under the HIPAA Security Rule, healthcare organizations must ensure that the appropriate physical, technical and administrative safeguards are put in place to protect ePHI of patients. When the OCR conducted its investigation it determined that BCBST had not taken sufficient precautions to protect confidential data and had not fulfilled its obligations under HIPAA. Physical safeguards to prevent access to the hardware were inadequate with poor access controls and a thorough security evaluation had not been performed.
According to OCR Director, Leon Rodriguez, “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” He went on to say “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”
In cases of HIPAA non-compliance and data breaches the OCR demands that a comprehensive action plan is put in place to ensure that all potential security threats are identified and eliminated. While BCBST had taken action to comply with HIPAA regulations prior to the breach, there were a number of gaps in its compliance program. Had these gaps not existed the data breach could have been avoided, even if the theft of company property could not.
As part of the corrective action plan, BCBST has agreed to review its policies and procedures and revise them to incorporate additional privacy and security controls. A program of staff training will also be conducted to ensure all employees are aware of their responsibilities under HIPAA.