HHS Hits Insurer for $1.5 Million

On March 13, 2012 the U.S. Department of Health and Human Services announced that it settled its first enforcement action resulting from a reported HITECH breach.  In the settlement, Blue Cross/Blue Shield of Tennessee agreed to pay One Million Five Hundred Thousand Dollar ($1,500,000.00) to resolve potential violations of the HIPAA Privacy and Security Rules.  Additionally, Blue Cross agreed to a corrective action plan to prevent further breaches. 

The settlement was the result of with Blue Cross’ reporting the theft of 57 unencrypted computer hard drives from one of its facilities.  The drives contained PHI for over one million members including names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.  According to OCR, Blue Cross failed to implement appropriate administrative safeguards to protect the information at the leased facilities.  Notability, it failed to perform a required security evaluation in response to operational changes at the facility.

The settlement demonstrates the need to consistently evaluate security procedures to make sure that they still work.  We have seen frequent instances where a security policy is out dated because of administrative and/or technological changes which make the plan obsolete.  Readers may recall that OIG previously released an audit of security policies at hospitals and found that for those hospitals subject to the audit, security policies were grossly inadequate.  We can expect further audits in this regard as OCR ramps up security enforcement. 

We would like to get a consensus on how often your institution reviews its security policies.