Contributed by: Lee Kim, Esq.

412.594.3915

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.  The HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules.

The enforcement action is the first resulting from a breach report required by the HITECH Act Breach Notification Rule.  The investigation was a result of Blue Cross Blue Shield of Tennessee (BCBST) reporting to HHS a notice that fifty-seven unencrypted hard drives were stolen from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.

BCBST has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  BCBST has agreed to a corrective action plan to address gaps in BCBST’s HIPAA compliance program.  BCBST has agreed to review, revise, and maintain its Privacy and Security Rule policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST’s compliance with the corrective action plan.

OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls.  Administrative and physical safeguards, in addition to technical safeguards, are required by the HIPAA Security Rule.