On March 13, 2012, the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced its settlement with Blue Cross Blue Shield of Tennessee (BCBST). The settlement marks the first enforcement action resulting directly from the filing by a covered entity of a breach notification report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.
Under the terms of the settlement, BCBST will pay HHS $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Additionally, BCBST signed a corrective action plan (CAP) to address gaps in its HIPAA compliance program.
The settlement covers the October 2009 theft of 57 unencrypted hard drives from a data storage closet at a former BlueCross leased call center. The hard drives contained information about more than 1 million health plan members, including names, social security numbers and health plan identification numbers. The drives held audio and video recordings of customer service calls.
BCBST had relocated its staff from the call center earlier in the year, and surrendered most of the leased property – except for a network data closet – to a property management company. Notably, the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, and the property management company continued to provide security services. The drives in the network data closet had been scheduled to be moved the first week of November 2009.
HHS found that BCBST failed to implement appropriate safeguards required by the HIPAA Security Rule, including (1) the failure to implement appropriate administrative safeguards by not performing the required security evaluation in response to operational changes, and (2) the failure to implement appropriate physical safeguards by not having adequate facility access controls.
In addition to the fine, the CAP requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures to ensure they are consistent with HIPAA and include certain content specified by HHS, to conduct “regular and robust” trainings for all BCBST workforce members who have access to electronic PHI, to perform monitor reviews to ensure maintained BCBST compliance with the CAP, and to submit biannual reports to HHS.
The settlement demonstrates HHS’ continued commitment to actively enforcing HIPAA. In HHS’ press release announcing the settlement, OCR Director Leon Rodriguez stated that the Breach Notification Rule will serve as an “important enforcement tool” for HHS. He also emphasized the importance of covered entities having comprehensive HIPAA compliance programs.
The facts disclosed in the resolution agreement do not constitute the types of significant lapses in security practices typically associated with HHS security enforcement actions and could suggest increasing expectations by OCR regarding the types of administrative and physical safeguards required. It also suggests a more clear focus on process and documentation requirements, considering that the CAP requires a documented risk assessment, policies and procedures, training, and documentation of such training. Going forward, HIPAA covered entities and business associates are advised to ensure that their security compliance and training programs are documented in accord with the HIPAA Security Rule specifications.