Advertisement

May 22, 2013

HIPAA/HITECH Enforcement Action Alert

Morgan, Lewis & Bockius LLP.
Lauren B. Licastro
Morgan, Lewis & Bockius LLP
Thursday, March 22, 2012
Communications, Media & Internet / Consumer Protection / Health Law & Managed Care / Insurance Reinsurance & Surety / Labor & Employment
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

Health plan agrees to pay $1.5 million following HHS investigation of self-reported data breach.

If you report a significant data breach to the Department of Health and Human Services (HHS), you may face a follow-up investigation and possible enforcement action.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report data breaches affecting 500 or more individuals to HHS and the media, in addition to notifying the affected individuals. HHS pays close attention to these breach reports and initiates investigations of those it deems significant, as evidenced by its recently announced settlement with BlueCross BlueShield of Tennessee (BlueCross).

In 2009, BlueCross reported the theft of 57 unencrypted computer hard drives containing the protected health information (PHI) of more than one million customers from a former BlueCross call center in Chattanooga. The hard drives had been stored in a network data closet that BlueCross continued to lease after it had otherwise vacated the office space. The closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, the property management company for the leased spaced provided security services.

In spite of these physical safeguards, HHS determined that the PHI contained on the hard drives was not protected well enough. In addition to paying a penalty of $1.5 million, BlueCross agreed to a corrective action plan that requires it to, among other things, submit its HIPAA privacy and security policies and procedures to HHS for review and approval, distribute the policies and procedures to all members of its workforce who have access to PHI, report violations of the policies and procedures by members of the workforce to HHS within 30 days, train all current workforce members on the approved policies and procedures and all new workforce members within 40 days of hire, and submit to unannounced site visits.

We encourage all HIPAA-covered entities (including health plans, healthcare providers, and healthcare clearinghouses) and their business associates to take a fresh look at the HIPAA privacy and security safeguards they have in place and to employ all reasonable means of securing PHI. It is worth noting that had the hard drives been encrypted (i.e., secured), BlueCross would not have been obligated to report the theft under HITECH. The less unsecured PHI that exists, the less opportunity there is for a reportable breach that may lead to an HHS investigation and penalties.

Copyright © 2013 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

About the Author

Lauren B. Licastro
Of Counsel

Lauren B. Licastro is of counsel in Morgan Lewis's Employee Benefits and Executive Compensation Practice. Ms. Licastro counsels clients on matters related to the implementation, operation, and termination of retirement plans and health and welfare benefit plans in compliance with ERISA, the Internal Revenue Code, COBRA, HIPAA, Healthcare Reform, and other applicable law. She negotiates contracts on behalf of employers with plan service providers, such as insurers, recordkeepers, and third-party administrators, and also provides advice regarding employment agreements...

llicastro@morganlewis.com
412.560.3383
www.morganlewis.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.