BCBS Settlement Details $17M in Corrective Actions
"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."
The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.
"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.
"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.
HITECH breach notification role
The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.
As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.
"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."
Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.
- How Top-Ranked MA Plans Earn Their Stars
- Readmissions: No Quick Fix to Costly Hospital Challenge
- How Hospitals Can Become 'Upstreamists'
- 4 Ways to Lower the Cost to Collect from Self-Pay Patients
- House Calls Key to Pioneer ACO Success
- How Telehealth Pays Off for Providers, Patients
- 4 Tips for Managing Employed Physicians
- WellPoint Dominates Nearly Half of Markets, AMA Says
- Defensive Medicine Still Prevalent Despite Tort Reform
- CMS Offers Some ACOs $114M for 'Upfront' Costs