BCBS Settlement Details $17M in Corrective Actions

Dom Nicastro, for HealthLeaders Media , March 15, 2012

In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.

The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."

CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:

  • Move data files and tapes to another facility
  • Implement a new information system
  • Change access controls
  • Change off-site storage companies or procedures

"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.

"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."

1 | 2 | 3 | 4 | 5

Comments are moderated. Please be patient.


MOST POPULAR

SPONSORED REPORTS
SPONSORED HEADLINES

SIGN UP

FREE e-Newsletters Join the Council Subscribe to HL magazine

SPONSORSHIP & ADVERTISING

100 Winners Circle Suite 300
Brentwood, TN 37027

800-727-5257

About | Advertise | Terms of Use | Privacy Policy | Reprints/Permissions | Contact
© HealthLeaders Media 2014 a division of BLR All rights reserved.