The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on Tuesday, March 13, 2012, that Blue Cross Blue Shield of Tennessee (“BCBST”) will pay $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). BCBST had previously notified HHS that 57 unencrypted hard drives containing protected health information, social security numbers, diagnosis codes, dates of birth, and other sensitive information were stolen from a BSCST leased facility.
This settlement represents the first enforcement action by OCR under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act Breach Notification Rule. HITECH requires that covered entities report a protected health information breach for 500 individuals or more both to the media and to HHS. BCBST reported the breach, but according to OCR, failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
For additional details regarding the enforcement action and settlement click here.
Should you have any questions, please contact Ammon Fillmore at 317.977.1492 or afillmore@wp.hallrender.com.
