The following article was co-written by my Health Care Department colleagues Sal Rotella and Bill Conaboy. Thanks guys!
On March 13, 2012 – almost 30 months after becoming one of the first entities to self-report a breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act – BlueCross BlueShield of Tennessee (BCBST) agreed to pay the Department of Health and Human Services (HHS) a record setting $1.5 million civil monetary penalty (CMP) for failing to safeguard protected health information (PHI).
The HITECH Act and HIPAA Enforcement
HHS adopted the interim final rule for HITECH’s breach notification requirement only a few weeks before the BCBST breach. The final rule requires covered entities to notify HHS following a breach of unsecured PHI. If a breach affects 500 or more individuals, the covered entity must report the breach electronically “without reasonable delay and in no case later than 60 days from discovery of the breach.”
HITECH’s breach notification rule changed the game with respect to HIPAA enforcement; HHS now has the ability to impose previously unheard of civil monetary penalties for violations of HIPAA’s privacy and security regulations. The HITECH Act established a four-tier penalty system, under which the CMP per violation increases along with a covered entity’s culpability for the breach. For instance, as a result of HITECH, HHS can now assign culpability and issue fines ranging from at least $100 per violation, where a person neither knew nor reasonably could have known of the violation, to $50,000 per violation, where a person intentionally failed to remedy a known breach. This range of fines significantly broadened HHS’s enforcement authority. In addition, HITECH carries a maximum $1.5 million penalty for any violation, a far cry from the pre-HITECH maximum penalty of $25,000.
BlueCross BlueShield of Tennessee – The Facts
Shortly after the HITECH Act passed – and before it was officially announced by a HHS press release – BCBST began relocating its Chattanooga offices. After it had relocated its staff, BCBST still needed to move various storage containers, including a “network data closet” housing 57 hard drives. The hard drives contained over 1.3 million video and audio recordings of customer service calls, including the PHI of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. BCBST took various efforts to secure the data closet’s contents. For example, the “closet” was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. BCBST’s former landlord also continued to provide security for the closet. Despite these seemingly extensive security efforts, on Monday, October 5, 2009, BCBST discovered that the 57 hard drives had been stolen. As required by the HITECH Act, BCBST self-reported the breach to HHS.
HHS Applies HITECH’s New Four-Tiered Penalty System
The BCBST case highlights the potential consequences of reporting a breach. The case also demonstrates the significant monetary exposure that results even from apparent mere negligence. Notwithstanding BCBST’s significant efforts to secure the hard drives, the company was still fined $1.5 million because of the sheer number of individuals whose PHI was disclosed.
HHS’s enhanced ability to enforce HIPAA policies under the HITECH Act underscores the importance of developing, maintaining and testing comprehensive privacy and security policies. As the HHS Office for Civil Rights (OCR) commented, the BCBST settlement “sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”
Leave a Reply
You must be logged in to post a comment.