HITECH Breach Notification Results in OCR’s First HIPAA Enforcement Action

On March 13, 2012, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had entered into a Resolution Agreement with Blue Cross Blue Shield of Tennessee (BCBST) to resolve a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Under the provisions of the Resolution Agreement, BCBST agreed to pay HHS $1,500,000 to settle potential HIPAA violations and agreed to a corrective action plan (CAP) to address gaps in its HIPAA compliance program, according to an HHS press release.

OCR took the enforcement action after conducting an investigation based on a breach report BCBST submitted as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) Breach Notification Rule. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information (PHI) of 500 individuals or more to HHS and the media. If less than 500 individuals are affected, covered entities must be report to the Secretary on an annual basis (see 45 C.F.R. § 164.408). OCR’s investigation indicated that BCBST failed to implement appropriate administrative and physical safeguards required by the HIPAA Security Rule.

The Breach

According to the Resolution Agreement , BCBST reported that on October 5, 2009, its employees discovered a theft of computer equipment from a network data closet located at a leased facility in Tennessee. BCBST’s internal investigation determined that the theft occurred on or about October 2, 2009, and that the stolen items included 57 hard drives containing encoded electronic data that included the PHI of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. BCBST’s investigation found that the PHI of 1,023,209 individuals was stored on the hard drives.

BCBST’s had relocated its staff and vacated the premises by June 26, 2009, except for the network data closet, which contained the encoded computer hard drives that were stolen. The premises had been turned over to a property management company. Security services also were turned over to and maintained by the property management company. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. The servers in the network data closet were scheduled to be moved the first week of November 2009.

OCR’s findings indicated that BCBST failed to implement appropriate (1) administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes, and (2) physical safeguards by not having adequate facility access controls, according to the HHS press release.

The Corrective Action Plan

The CAP, which is incorporated into the Resolution Agreement, is in effective for 450 days beginning with the effective date of the CAP. Under the Corrective Action Obligations, BCBST must:

• Provide HHS copies of its current written privacy and security policies within 30 days of the effective date of the CAP for review and approval and make any changes recommended by HHS within 30 days of receiving them. The revised policies and procedures must be submitted to HHS for review and approval.

• Provide evidence that it has implemented the policies and procedures after receiving HHS’ approval,

• Include in its policies and procedures (1) risk assessments of potential risks and vulnerabilities, (2) a risk management plan, (3) facility access controls and a facility security plan, and (4) physical safeguards governing the storage of electronic storage media containing electronic PHI (ePHI).

• Distribute and provide evidence that it has distributed the policies and procedures to all members of the workforce who have access to BCBST’s ePHI and obtain a written or electronic certification form from those members stating that the member has read, understands, and will abide by the policies and procedures.

• Report to HHS employee violations of the policies and procedures.

• Provide training to all members of the workforce who have access to ePHI as well as new members of the workforce and require those who attend training to certify, in writing or in electronic form, that he or she has received the required training and specify the date training was completed.

• Conduct two monitor reviews at designated times under the direction of the Chief Privacy Officer or his or her designee to: (1) validate that random samples of members of the workforce are familiar and complying with the policies and procedures; (2) ensure electronic storage media and portable devices containing ePHI are secured in compliance with the policies and procedures; (3) identify any risks to ePHI, recommend steps to reduce risks, and (4) confirm implementation of risk management steps.

• Submit Biannual Reports to HHS, and

• Comply with the document retention requirements set forth in the CAP for inspection and copying all documents and records relating to compliance with this CAP for three (3) years.

BCBST and OCR Responses

Tena Roberson, deputy general counsel and chief privacy officer for BCBST said that “[s]ince the theft, [BCBST has] worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times.”  The company’s response to the crime included the encryption of all its at-rest data—a voluntary effort that goes above and beyond current industry standards. In total, the company has spent nearly $17 million in investigation, notification and protection efforts, according to the BCBST media release.  Roberson also said that BCBST appreciates “working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process.”

OCR Director Leon Rodriguez noted that “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”