Blue Cross Blue Shield to Reimburse HHS $1.5M for HIPAA Infringement

The Office for Civil Rights has accomplished its first implementation action developing from the HITECH Infringement Notice Rule and has penalized Blue Cross Blue Shield of Tennessee (BCBST) for breaching the Security and Privacy Regulations of the Health Insurance Portability and Accountability Law (1996). BCBST has currently bargained a disbursement with the HHS and will disburse $1.5 million for the security infringement for its possible HIPAA breaches.

The data infringement was among the biggest ever informed, involving the PHI of more than 1 million people. Considerable patient info was revealed including dates of birth, health plan numbers, Social Security numbers, contact information as well as medical analysis codes. The data was saved on fifty seven unencrypted hard disc drives that were thieved from its establishments in Tennessee.

According to the HIPAA Security Law, healthcare companies should make sure that the suitable administrative, physical, and technical safeguards are set up to safeguard ePHI of patients. When the OCR carried out its inquiry it concluded that BCBST had not taken adequate safety measures to safeguard secret data and had not discharged its responsibilities under HIPAA. Physical protections to avoid access to the hardware were insufficient with bad access controls as well as a detailed security assessment had not been carried out.

As per Leon Rodriguez, OCR Director, “The HITECH Breach Announcement Law is a vital enforcement means and OCR will carry on to strongly safeguard patients’ entitlement to confidential and safe health info.” He went on to state “This disbursement sends a crucial message that OCR believes health policies and health care providers to set up a cautiously planned, provided, and supervised HIPAA compliance program.”

In events of HIPAA non-compliance and data violations, the OCR requires that a complete action plan is set up to make sure that all possible security dangers are known and removed. While BCBST had taken action to abide by HIPAA rules before the violation, there were many cracks in its conformity program. Had these cracks not existed the data infringement might have been averted, even if the thievery of company property might not.

As part of the remedial action plan, BCBST has consented to study its plans and processes and amend them to include additional secrecy and safety controls. A program of staff HIPAA training will also be carried out to make sure all workers are conscious of their duties under HIPAA.