BCBS Settlement Details $17M in Corrective Actions
In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.
The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."
CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:
- Move data files and tapes to another facility
- Implement a new information system
- Change access controls
- Change off-site storage companies or procedures
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.
"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."
- Primary Care Docs Average More Hospital Revenue Than Specialists
- 69% of Employers Plan to Offer Healthcare Coverage After 2014
- How Chargemaster Data May Affect Hospital Revenue
- Insurer's App Aims to Lower Healthcare Costs, Securely
- ED Physicians Key to Half of Hospital Admissions
- Building a Better Healthcare Board
- Q&A: Catholic Health Initiatives' New Senior VP for Capital Finance
- House Lawmakers Grill CMS Over Health Exchange Navigators
- Don't Let Nurses Sink Your Bottom Line
- Hospital Pricing Irks Nurses; More Jobs, Less Pay