No one wants to be the first, especially not in this case. The Department of Health and Human Services’ Office of Civil Rights (OCR) announced its first settlement with a covered entity stemming from a report submitted pursuant to the Health Information Technology for Economic and Clinical Health Act’s (HITECH) Breach Notification Rule (the “Rule”). According to the Resolution Agreement, Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and submitted to an extensive 450-day corrective action plan with two required biannual reports to address deficiencies in its HIPAA compliance program.
Since the Rule’s publication in August 2009, covered entities have had to notify the Secretary and affected individuals of any breach of unsecured protected health information. If the breach affects more than 500 individuals, notification must be provided to the media. Breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.
On November 3, 2009, BCBST reported to HHS that 57 unencrypted computer hard drives, among other computer equipment, were stolen around October 2, 2009 from a network data closet at an unstaffed facility that it leased. The computer hard drives were part of a system which recorded and stored over 300,000 video recordings and over 1 million audio recordings of customer service calls. The data contained the protected health information (PHI) of just over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The breach happened only a month before the computer servers containing the data were to be transferred to another facility.
OCR determined that BCBST failed to implement both administrative and physical safeguards required under the HIPAA Security Rule. First, BCBST neglected to perform the required security evaluation in response to operational changes - the transfer of staff from the facility and the transfer of security responsibilities to the property management company. Second, even though the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, OCR still determined that BCBST did not use adequate controls restricting facility access – likely because it had not evaluated the quality of or educated the property management’s security services on how to secure the PHI contained in the servers.
Even though the annual deadline for reporting breaches affecting less than 500 individuals has already passed (mentioned in our 2/7/12 post), it is never too early for covered entities and their business associates to evaluate and improve internal HIPAA compliance processes. BCBST was the first, but there are bound to be more enforcement actions related to disclosures under the Rule, and every organization can benefit from a comprehensive HIPAA/HITECH checkup.