Blue Cross/Blue Shield of Tennessee has agreed to pay a fine to the Office for Civil Rights in the amount of $1.5 million, as well as incurring costs and expenses to the tune of $17 million for breach mitigation, all related to staggering breaches of protected health information which occurred in the fall of 2009.
Some 57 hard drives containing unencrypted PHI were stolen from a data storage closet of the Tennessee insurer in the fall of 2009. The drives contained audio and video recordings related to insured individuals, as well as detailed identifying data, such as names, diagnosis codes, Social Security numbers, and health insurance identification numbers. BCBS of Tennessee’s breach involved the PHI of more than one million individuals.
The failure by the TN insurer to encrypt the data on the hard drives is but one of the several HIPAA regulations which were violated in the course of this debacle. Covered entities should always remember that HIPAA is more than a policy document. Administrative personnel must be sure to train their employees well and often and should make sure that the policies and procedures adopted by the health care provider are executed with precision on the ground.
For example, hospitals and clinics should ask their IT professionals to review the current state of the hardware and software running in their offices to be sure that any technology containing or accessing PHI meets the requirements of HIPAA’s Security Rule. Further, the hospital should be sure to spend adequate time training and educating the employees about the requirements of HIPAA, particularly with regard to the Privacy and Security Rules and how those rules affect day-to-day activities in the office environment.
This latest announcement regarding BCBS of Tennessee comes after the UCLA fines ($865,500) in July 2011, Massachusetts General Hospital fines ($1 million) in February 2011, Rite Aid fines ($1 million) in July 2010, and the CVS fines ($2.25 million) in February 2009. The track record shows one or more large breach and related enforcement fine per year beginning in 2009, and the trend does not appear to be slowing.
Covered entities should take steps to test the current state of their HIPAA compliance and be sure that their name doesn’t wind up on the next list.
For more information, you can see the original press release at: