According to the HITECH Breach Notification Rule any impermissible use or disclosure of protected health information (PHI), or “breach,” of 500 individuals or more should be reported to HHS and the media. Similarly, smaller breaches affecting less than 500 individuals have to be reported to the secretary on an annual basis.
As the first enforcement action resulting from the HITECH breach notification rule, Blue Cross Blue Shield of Tennessee (BCBST) is required to settle $1,500,000 to the US Department of Health and Human Services (HSS) for potential violation of HIPAA rules. This is the result of the investigation done followed by a notice from BCBST to HHS reporting theft of 57 unencrypted computer hard drives from a leased facility in Tennessee.
The stolen hard drives contained protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. Following the report from BCBST, an investigation was conducted by the HHS Office for Civil Rights (OCR). The investigation indicated that BCBST had not implemented adequate administrative safeguards at the leased facility in terms if performing security evaluation, and had failed to implement physical safeguards such as adequate facility access controls as required by HIPAA.
In addition to this settlement BCBST is required to review, revise, and maintain its privacy and security policies and procedures, and conduct trainings for all BCBST employees at regular intervals to ensure that employee responsibilities under HIPAA are well understood. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program, and to perform monitor reviews to ensure compliance with this plan.
The OCR Director Leon Rodriguez said that the HITECH Breach Notification Rule is an important enforcement tool and that OCR will continue to use it vigorously to protect patients’ right to safety and privacy of health information. He also mentioned that this settlement made by BCBST to HHS sends an important message to all health plan and health care providers that OCR expects them to have a carefully designed, delivered, and monitored HIPAA compliance program in place.
So does your HIPAA compliance program meet the expectations of OCR? Have you implemented adequate administrative and physical safeguards, which BCBST failed to do? If not, it’s time to adopt eGestalt’s SecureGRC. SecureGRC is a completely automated and integrated solution that has been carefully designed to meet HIPAA and HITECH requirements, and meets all the criteria for an ideal HIPAA Compliance Program as expected by OCR.