Blue Cross HIPAA Violation Costs $18.5 Million

A fine of $1.5 million from the Office for Civil Rights is far from insubstantial; however the total cost of correcting HIPAA issues and addressing all security issues can be considerable higher than the cost of the fine, as Blue Cross Blue Shield of Tennessee recently discovered.

The insurer was the industry’s first company to receive a fine for violating the Health Insurance Portability and Accountability Act (1996) and was issued the maximum penalty of $1.5M for the colossal data breach that exposed the Protected Health Information of over a million of its policy holders in 2009. The breach occurred when 57 hard drives were stolen from its facilities in one of the largest ever HIPAA data breaches reported to date.

The fine was issued for breaching the Privacy and Security Rules; however it only formed a small part of the total bill the insurer received for addressing all of the issued identified by the OCR during its investigation. The cost of bringing the company’s procedures, policies, hardware and software up to date with HIPAA and the Privacy and Security Rules has been considerable. The total cost of complying with HIPPA and dealing with the data breach has been calculated to be $18.5 million.

The True Cost of HIPAA Compliance

The action plan that the health insurer agreed to follow involved bringing all of its systems up to date with current regulations and implementing a number of additional control measures to secure data and prevent further breaches.

The insurer spent approximately $6 million on data encryption services to add an extra layer of security as required by HIPAA, and a total of £17 million dollars was spent on investigating the incident and issuing breach notifications to a million or so of its policy holders. A sizable proportion of this total was required to cover the cost of identity theft protection and credit monitoring services.

While the cost of bringing the company’s policies and procedures up to date with HIPAA and encrypting patient data was unavoidable, had steps been taken promptly to ensure compliance before the deadline passed, the insurer could have saved several million dollars.

The data breach should serve as a stern warning to all healthcare organizations that have not conducted a thorough risk analysis and addressed all security vulnerabilities identified. If a breach occurs or the OCR conducts an audit, the costs of correction are likely to be well in excess of the fine for the HIPAA violation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.