HHS Settles HIPAA Investigation for $1.5 Million
The Department of Health and Human Services has recorded its first enforcement action resulting from the 2009 breach notification rule, reaching a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST).
The investigation followed a report from BCBST that 57 computer hard drives were stolen from a locked data network closet in a leased office facility. The drives contained the unencrypted protected health information of more than one million individuals, including names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.
BCBST had relocated staff from the facility but not yet moved the computer equipment. An investigation by HHS’s Office for Civil Rights determined that BCBST failed to implement appropriate administrative safeguards by not performing a security evaluation in response to the operational changes. The investigation also showed a failure to implement appropriate physical safeguards, according to the resolution agreement. Both safeguards are required by the HIPAA security rule.
In addition to the monetary settlement, BCBST agreed to a corrective action plan to review its HIPAA compliance program and address gaps.
The agreement is not an admission of liability by BCBST or a concession by HHS that the covered entity is not in violation of HIPAA. Instead, the two parties agreed to a settlement to avoid further burden and expense of investigation and litigation.
The breach notification rule, a provision of the HITECH Act, established requirements for how covered entities must respond to breach incidents, including notification of the affected individuals and HHS. Breaches affecting 500 or more individuals must be reported to HHS within 60 days and are posted on an HHS Web site. Covered entities have reported 400 such large-scale breaches involving more than 19 million people since reporting began in September 2009.
Locked, but Stolen
The BCBST breach is one of the largest on HHS’s list, as well as one of the first.
BCBST reported the incident on November 3, 2009, approximately a month after employees discovered the theft and less than two months after the breach reporting requirements became effective. The Office for Civil Rights opened its investigation on January 8, 2010.
The data network closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. The property management company also maintained security services.
According to BCBST, it received an alert on Friday, October 2 that the server at the leased facility was unresponsive. The alert included no indication that a theft had occurred. Staff did not investigate until Monday, October 5, because the unresponsive server did not appear to adversely impact operations.
The stolen hard drives were part of a system that stored audio and video recordings of customer service calls. The audio and video data had to be manually and individually reviewed to obtain access to the protected health information.
The Corrective Action Plan
Under the terms of the corrective action plan, BCBST will provide HHS with its policies and procedures related to the privacy and security rules and then revise them as HHS indicates. BCBST will then have 220 days to demonstrate that it has implemented any revisions.
The plan also describes how BCBST must distribute the revised policies and procedures and conduct training on them.
The resolution agreement includes detail on the monitoring program BCBST will be required to implement as part of the action plan. HHS will have the right to access records related to BCBST’s monitor reviews. The requirements of the monitoring program begin on page 4 of the resolution agreement.