July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

HHS OCR Announces First Settlement of a Self-Reported HIPAA Violation

No one wants to be the first, especially not in this case. The Department of Health and Human Services’ Office of Civil Rights (OCR) announced its first settlement with a covered entity stemming from a report submitted pursuant to the Health Information Technology for Economic and Clinical Health Act’s (HITECH) Breach Notification Rule (the “Rule”). According to the Resolution Agreement, Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and submitted to an extensive 450-day corrective action plan with two required biannual reports to address deficiencies in its HIPAA compliance program.

Since the Rule’s publication in August 2009, covered entities have had to notify the Secretary and affected individuals of any breach of unsecured protected health information. If the breach affects more than 500 individuals, notification must be provided to the media. Breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.

On November 3, 2009, BCBST reported to HHS that 57 unencrypted computer hard drives, among other computer equipment, were stolen around October 2, 2009 from a network data closet at an unstaffed facility that it leased. The computer hard drives were part of a system which recorded and stored over 300,000 video recordings and over 1 million audio recordings of customer service calls. The data contained the protected health information (PHI) of just over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The breach happened only a month before the computer servers containing the data were to be transferred to another facility.

OCR determined that BCBST failed to implement both administrative and physical safeguards required under the HIPAA Security Rule. First, BCBST neglected to perform the required security evaluation in response to operational changes - the transfer of staff from the facility and the transfer of security responsibilities to the property management company. Second, even though the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, OCR still determined that BCBST did not use adequate controls restricting facility access – likely because it had not evaluated the quality of or educated the property management’s security services on how to secure the PHI contained in the servers.

Even though the annual deadline for reporting breaches affecting less than 500 individuals has already passed (mentioned in our 2/7/12 post), it is never too early for covered entities and their business associates to evaluate and improve internal HIPAA compliance processes. BCBST was the first, but there are bound to be more enforcement actions related to disclosures under the Rule, and every organization can benefit from a comprehensive HIPAA/HITECH checkup.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume II, Number 78
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's...

(617) 348-1614
Advertisement
Advertisement
Advertisement