In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.
The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."
CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.
"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."