On March 13, 2012 the HHS Office for Civil Rights (OCR) announced the settlement of what it says is the first enforcement action resulting from a report under the breach notification requirements of the HITECH Act. Under the settlement, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay OCR $1,500,000 to settle potential HIPAA violations, and signed a corrective action plan.
The settlement arises from the theft of computer equipment from a locked closet, secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. However, BCBST staff had vacated the facility where the closet was located, and left building security in the hands of the property manager. The settlement is noteworthy because it shows OCR’s readiness to impose a substantial penalty on a company that was the victim of a break-in. It also emphasizes the need to keep current with risk assessments, security policies and procedures, and workforce training, particularly in the face of changing circumstances like facility closings or relocations.
The OCR press release about the settlement says:
This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program . . . . The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.
According to the press release, the investigation was triggered by a breach notice submitted by BCBST to HHS after the theft of 57 unencrypted computer hard drives from a facility in Tennessee. The drives contained information from more than a million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The release says that BCBST failed to perform the required security evaluation in response to operational changes (presumably the move), and to implement adequate facility access controls. The theft occurred in October of 2009.
In addition to the payment, BCBST entered into a Resolution Agreement with OCR. The agreement has a term of 450 days. Under the agreement, BCBST agrees to:
- Revise its HIPAA privacy and security polices to comply with HIPAA standards, submit them to HHS for approval, revise them if HHS so requests, and demonstrate that it has implemented them once they are approved. The policies must include a risk assessment and risk management plan, as well as a facility security plan including access controls and physical safeguards;
- Distribute the policies and procedures to all employees who have access to electronic protected health information, and obtain a written certification from the employees that they have read and understood the policies, and will abide by them. BCBST also agrees to notify HHS of workforce violations of the policies and procedures;
- Provide training for all BCBST employees in the policies and procedures, and obtain a certification from each employee that he or she has received the required training;
- Conduct reviews, including unannounced site visits and employee interviews, to confirm that employees are familiar with the policies and procedures, and are complying with them; and
- Submit two biannual reports to HHS documenting training, violations of policies and procedures, and compliance reviews.
Besides the cash payment, the settlement draws attention to the importance of ongoing risk analysis, maintaining current policies and procedures, and regular workforce training. Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including policies and procedures, workforce training and managing data breaches.