Blue Cross and Blue Shield of Tennessee (BCBST) will pay $1.5 million and enter into a Corrective Action Plan with the Department of Health and Human Services Office for Civil Rights (OCR) to settle OCR's investigation into BCBST's violations of the HIPAA Security Rule. Sarah Swank and Joshua Freemire review the genesis of the settlement and discuss the lessons other covered entities can learn from it.

Increased enforcement is a key message from the Department of Health and Human Services Office for Civil Rights (OCR). Since the start of 2012, OCR has publicized settlements with three entities: two of which concerned civil rights violations under section 504 of the Rehabilitation Act and the most recent of which concerned violations of the HIPAA Security Rule. On March 13, 2012, OCR issued a press release detailing its settlement with Blue Cross and Blue Shield of Tennessee (BCBST), under which BCBST agreed to pay $1.5 million and enter into a 450-day Corrective Action Plan (CAP) to address its HIPAA compliance issues. BCBST settled following an investigation triggered by the report of a "breach" — 57 unencrypted hard drives, including patient records for over a million patients, were stolen from a leased facility in Tennessee.