03.15.2012
|
Updates
BlueCross BlueShield of Tennessee (BCBST) has agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) and enter into a Corrective Action Plan (CAP) to settle alleged violations of the HIPAA privacy and security regulations. The enforcement action arose from the theft of 57 hard drives that contained audio and video recordings of customer service calls and included electronic protected health information (ePHI) of over one million individuals. The settlement resolves HHS’s first enforcement action in connection with the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The CAP also provides insight into the kinds of security measures HHS expects companies in possession of ePHI to have in place.
Theft of the Hard Drives
The stolen BCBST hard drives were in a network data closet at a leased facility and were scheduled to be moved several months after BCBST moved its staff to a different facility. The data closet was secured by biometric and keycard scan security behind both magnetic and keyed locks, and the owner of the facility provided security services. BCBST received an alert on a Friday that the server at the leased facility was not responding, but the alert did not indicate that the hard drives had been stolen and there was no impact on operations. So BCBST did not discover that a theft had occurred until the following Monday. As required by the breach notification provisions of the HITECH Act, BCBST reported the breach to HHS.
The Corrective Action Plan
In addition to the $1.5 million settlement payment, BCBST agreed to significant obligations under the CAP, including:
- Development and implementation of policies and procedures that include a risk assessment and risk management plan, appropriate facility access controls, and appropriate physical safeguards governing the storage of electronic media that are to be submitted to HHS within 30 days and that are subject to HHS review and approval;
- Distribution of the policies and procedures to all members of BCBST's workforce who have access to ePHI and documented certification by each individual that he or she received the policies and procedures and has read, understands, and will abide by them;
- Training on the policies and procedures for all members of the BCBST workforce who have access to ePHI, certification of completion for anyone who will be involved with the transport or storage of ePHI and submission of a description of the training to HHS;
- Reviews by a monitor, under the direction of BCBST's Chief Privacy Officer, to sample both the BCBST workforce members and BCBST electronic storage media and portable devices containing ePHI to confirm adherence to the required training, policies and procedures;
- Unannounced site visits by the monitor to BCBST facilities housing portable devices;
- HHS access to all notes, workpapers, and other records created as part of the monitor's reviews, with the exception of documents protected by attorney-client privilege or the work product doctrine.
If BCBST fails to fulfill the requirements of the CAP, HHS may impose civil money penalties as provided by the privacy and security regulations.
Implications
This is the first enforcement action to arise from the HITECH Act notification requirement and thereby sets a benchmark for the sanctions or penalties that HHS will impose in the future for ePHI data security breaches. This enforcement action also signals that breaches involving large numbers of individuals are likely to result in severe fines and onerous corrective actions, such as monitoring.
The BCBST hard drives were stolen despite what appeared to be good security: biometric and keycard scanners, a magnetic lock, an additional door with a keyed lock, and security services provided by the landlord. HHS took the position, though, that BCBST failed to implement appropriate administrative safeguards by not performing a security evaluation in response to operational changes (presumably the move of all staff to a different facility), and failed to implement appropriate physical safeguards by not having adequate facility access controls. BCBST did not admit liability nor did HHS concede that BCBST was in compliance with applicable privacy and security rules.
The CAP is useful in providing insight into the types of security measures that HHS would expect a large covered entity to have in place to prevent a breach from happening in the first place. For example, HIPAA and HITECH do not require that workforce members certify that they have received, read, and understood the covered entity's policies and procedures or that they have attended training on the policies and procedures, but the CAP requires both. It might be advisable for large covered entities to consider tightening up their policies and procedures proactively to incorporate provisions similar to those in the CAP. As the HHS press release announcing the settlement put it, HHS expects covered entities "to have in place a carefully designed, delivered, and monitored HIPAA compliance program."
© 2012 Perkins Coie LLP
