• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations

March 15, 2012 American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Security No Comments

On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations.  According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.”

According to the HHS Press Release:

“The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee.  The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.  OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes.  In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

“‘This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,’ said OCR Director Leon Rodriguez.  ‘The HITECH [Act] Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.'”

In Appendix A (Corrective Action Plan) to the Resolution Agreement, pay particular attention to the provisions of Section VI (Corrective Action Obligations):

A. Policies and Procedures

B. Distribution and Updating of Policies and Procedures

C. Minimum Content of the Policies and Procedures and Reportable Events

D. Training

E. Monitoring

The content of these provisions provides excellent guidance on procedures underpinning compliance efforts and consequences of non-compliance.

20120315

Tags: appropriate physical safeguardsBCBSTBlue Cross Blue Shield of Tennesseebreach notification rulebreach reportcompliance programcorrective action obligationsCorrective Action PlanDEPARTMENT OF HEALTH AND HUMAN SERVICESEnforcementenforcement toolsfacility access controlsHealth Care ProviderHealth Information Technology for Economic and Clinical Health ActHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACThealth planHHSHIPAAHIPAA Security RuleHITECH Actimplementinvestigationmonitornon-complianceOCROCR Director Leon RodriguezOffice for Civil RightsPHIpolicies and proceduresPrivacy Ruleprotected health informationreportable eventResolution Agreementsecure health informationsecurity evaluationSecurity RulesettlementTrainingunencryptedviolation
No Comments
Share
0

You also might be interested in

HIPAA Final Rule: Modification of Business Associate Definition, Part (4)–Personal Health Record Vendor

Feb 12, 2013

February 12, 2013.  Today, we examine the role of the[...]

NIST Guide for Implementing HIPAA Security Rule

Jan 19, 2009

US DEPARTMENT OF COMMERCE National Institute of Standards and Technology[...]

Exploring HIPAA and HITECH Act Definitions: Part 6

Nov 12, 2009

From now through November, HIPAA.com is providing a run through[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next