The HHS announced it first enforcement action resulting from the HITECH Breach Notification Rule on March 13, 2012. Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay $1.5 million to settle potential violations. The investigation began after BCBST submitted a notice to the HHS following the theft of 57 unencrypted hard drives from a leased facility in Tennessee.
The investigation found that the appropriate administrative safeguards, as well as appropriate physical safeguards were not taken to adequately secure the protected health information (PHI) contained on the drives. The drives contained PHI on over 1 million BCBST member, including names, social security numbers, diagnosis codes, and other PHI.
BCBST also agreeing to a corrective action plan to address gaps in it’s compliance program. This agreement requires BCBST to review, revise, and maintain it Privacy and Security policies and procedures. Also, it requires BCBST to regularly train all employees regarding their responsibilities under HIPAA. BCBST will also have to perform reviews to monitor their compliance with the corrective action plan.
The Office of Civil Rights Director (OCR) Leon Rodriguez said “This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” he goes on to say “The HITECH Breach Notification Rule is an important enforcement tool and the OCR will continue to vigorously protect
patients’ right to private and secure health information.”