HIPAA/HITECH Enforcement Action Alert


[author: Lauren B. Licastro]

Health plan agrees to pay $1.5 million following HHS investigation of self-reported data breach.

If you report a significant data breach to the Department of Health and Human Services (HHS), you may face a follow-up investigation and possible enforcement action.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report data breaches affecting 500 or more individuals to HHS and the media, in addition to notifying the affected individuals. HHS pays close attention to these breach reports and initiates investigations of those it deems significant, as evidenced by its recently announced settlement with BlueCross BlueShield of Tennessee (BlueCross).

In 2009, BlueCross reported the theft of 57 unencrypted computer hard drives containing the protected health information (PHI) of more than one million customers from a former BlueCross call center in Chattanooga. The hard drives had been stored in a network data closet that BlueCross continued to lease after it had otherwise vacated the office space. The closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, the property management company for the leased spaced provided security services.

In spite of these physical safeguards, HHS determined that the PHI contained on the hard drives was not protected well enough. In addition to paying a penalty of $1.5 million, BlueCross agreed to a corrective action plan that requires it to, among other things, submit its HIPAA privacy and security policies and procedures to HHS for review and approval, distribute the policies and procedures to all members of its workforce who have access to PHI, report violations of the policies and procedures by members of the workforce to HHS within 30 days, train all current workforce members on the approved policies and procedures and all new workforce members within 40 days of hire, and submit to unannounced site visits.

We encourage all HIPAA-covered entities (including health plans, healthcare providers, and healthcare clearinghouses) and their business associates to take a fresh look at the HIPAA privacy and security safeguards they have in place and to employ all reasonable means of securing PHI. It is worth noting that had the hard drives been encrypted (i.e., secured), BlueCross would not have been obligated to report the theft under HITECH. The less unsecured PHI that exists, the less opportunity there is for a reportable breach that may lead to an HHS investigation and penalties.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:


Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.