The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has announced a settlement of $1.5 million with Blue Cross Blue Shield of Tennessee (BCBST) stemming from BCBST’s potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. See HHS March 13, 2012 press release “HHS Settles HIPAA Case with BCBST for $1.5 million.”

This is the first enforcement action taken by the OCR resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach” of 500 individuals or more to HHS and the media.

Pursuant to the HITECH Breach Notification Rule requirements, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a facility that BSBCT leased in Tennessee and after such report, an OCR investigation ensued. The hard drives contained protected health information (PHI) of over 1 million individuals. The OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to protect the PHI at the leased facility by BCBST not performing required security evaluation in response to operational changes. The OCR also found that BCBST failed to implement appropriate physical safeguards by not having adequate facility access controls. Both of these safeguards are required by the HIPAA Security Rule.

In addition to the $1.5 million settlement, the OCR has entered into a corrective action plan with BCBST that requires BCBST to review, revise and maintain its HIPAA Privacy and Security policies and procedures, to conduct regular and robust training for BCBST covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.