BCBS Settlement Details $17M in Corrective Actions
In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.
The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."
CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:
- Move data files and tapes to another facility
- Implement a new information system
- Change access controls
- Change off-site storage companies or procedures
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.
"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."
- Hospital Groups Strike Back at Hospital Rating Systems
- AHIP: Enormity of HIX Challenges Sinks In
- The Secret to Physician Engagement? It's Not Better Pay
- 5 Hot Healthcare Ideas from SXSW
- Another SGR Patch Likely, Lawmaker Says
- How Succession Planning Boosts Employee Retention Rates
- Hospital CEO Turnover Hits Record High
- Rules to Rein in HIX Narrow Networks Could Drive Away Payers
- 4 Reasons PCMH Principles Aren't Going Away
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers