January 30, 2023

Volume XIII, Number 30

Advertisement

January 30, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

HHS Settles HIPAA Case for $1.5 Million

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has announced a settlement of $1.5 million with Blue Cross Blue Shield of Tennessee (BCBST) stemming from BCBST’s potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. See HHS March 13, 2012 press release “HHS Settles HIPAA Case with BCBST for $1.5 million.”

This is the first enforcement action taken by the OCR resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach” of 500 individuals or more to HHS and the media.

Pursuant to the HITECH Breach Notification Rule requirements, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a facility that BSBCT leased in Tennessee and after such report, an OCR investigation ensued. The hard drives contained protected health information (PHI) of over 1 million individuals. The OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to protect the PHI at the leased facility by BCBST not performing required security evaluation in response to operational changes. The OCR also found that BCBST failed to implement appropriate physical safeguards by not having adequate facility access controls. Both of these safeguards are required by the HIPAA Security Rule.

In addition to the $1.5 million settlement, the OCR has entered into a corrective action plan with BCBST that requires BCBST to review, revise and maintain its HIPAA Privacy and Security policies and procedures, to conduct regular and robust training for BCBST covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan. 

© 2023 BARNES & THORNBURG LLPNational Law Review, Volume II, Number 78
Advertisement
Advertisement
Advertisement

About this Author

Heather Delgado Healthcare Attorney
Partner

Healthcare providers depend upon Heather Delgado for her commitment to responsiveness and practical legal advice. Heather focuses on finding the right solution for her clients. She is valued for her ability to overcome the obstacles her clients face and for her skill in applying complex laws and regulations to their business practices.

Heather’s experience includes the representation of healthcare providers, including hospitals, health systems, specialty hospitals, ambulatory surgery centers, multi- and single-specialty medical practices, and a wide variety of healthcare...

312-338-5905
Advertisement
Advertisement
Advertisement