Privacy & Information Security Law Blog

On March 13, 2012, the Department of Health and Human Services (“HHS”) announced that it had settled the first case related to the HITECH Act Breach Notification Rule. BlueCross Blue Shield of Tennessee (“BCBS Tennessee”) agreed to pay $1.5 million to settle potential HIPAA violations related to the October 2009 theft of 57 unencrypted hard drives containing protected health information (“PHI”) from a network data closet at a leased facility leased in Chattanooga, Tennessee.

The stolen PHI consisted of audio and video recordings of BCBS Tennessee customer service calls and included the names, Social Security numbers, diagnosis codes, dates of birth and health plan identification numbers for over 1 million BCBS Tennessee members. After BCBS Tennessee submitted its breach notification report in November 2009, in January 2010, the HHS Office for Civil Rights (“OCR”) initiated an investigation that determined BCBS Tennessee had not implemented adequate physical safeguards and access controls to protect the PHI stored at the facility.

In addition to the $1.5 million settlement with HHS, BCBS Tennessee entered into a Resolution Agreement that contained a Corrective Action Plan. The Corrective Action Plan obligates BCBS Tennessee to (1) provide OCR with its policies and procedures regarding risk management and physical access controls, (2) distribute those policies and procedures to all members of its workforce who have access to electronic PHI, (3) provide training to those workforce members, and (4) conduct random monitor reviews, including site visits and interviews of workforce members, to ensure that its workforce members are complying with BCBS Tennessee’s policies and procedures. Finally, the Corrective Action Plan requires BCBS Tennessee to submit two biannual reports to OCR that document the training efforts and monitor reviews, and to retain all records pertaining to compliance with the Corrective Action Plan for three years.

In the announcement, OCR Director Leon Rodriguez stated that “the HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”