The United States Department of Health and Human Services, Offices for Civil Rights (“OCR”) and BlueCross Blue Shield of Tennessee (“BCBST”) announced a settlement this week for $1.5 million for a breach of protected health information under the Health Information Portability and Privacy Act (“HIPAA”). In November 2009, BCBST submitted a Health Information Technology for Economic and Clinical Health Act (“HITECH”) Breach Report to OCR regarding the theft of 57 hard drives containing encoded electronic data including member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers of 1,023,209 individuals. The hard drives were taken from a data storage closet at a former call center. According to BCBST, there was no indication of any misuse of personal data on the stolen hard drives and the company spent approximately $17 million on the investigation, notification, and protection efforts.

In addition to the $1.5 million payment, BCBST agreed to a Corrective Action Plan wherein BCBST is required to:

  • Submit a biannual report;
  • Comply with the document retention requirements;
  • Demonstrate distribution and implementation of policies and procedures to its workforce with access to ePHI;
  • Conduct a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI;
  • Prepare a risk management plan that implements security measures sufficient to reduce risks and vulnerabilities;
  • Prepare a facility security plan to limit access to electronic information systems and facilities where they are housed and to safeguard equipment containing ePHI from unauthorized physical access, tampering, and/or theft;
  • Implement physical safeguards governing the storage of electronic storage media containing ePHI;
  • Conduct random samples of BCBST workforce’s familiarity and compliance with the policies and procedures; and
  • Conduct random samples of electronic storage media and devices.

The enforcement action by OCR against BCBST was the first resulting from a breach report required by the HITECH breach notification rule. This resolution agreement was the sixth to be entered into by OCR for HIPAA breaches with one entity receiving civil monetary penalties as well. Civil penalties for HIPAA violations range from $100 to $50,000 per violation with a maximum of $1.5 million for all violations of an identical provision in a calendar year.