BCBS Settlement Details $17M in Corrective Actions
"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."
The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.
"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.
"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.
HITECH breach notification role
The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.
As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.
"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."
Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.
- MU Compliance Announcement Sparks Concern, Confusion
- New G-Codes to Pay Doctors for Broad Array of Non-Face-to-Face Care
- Scary Financial Challenges for 2014
- MGMA Urges 'End-to-End' ICD-10 Testing
- 1 in 5 CT Screenings for Lung Cancer Results in Overdiagnosis
- Resisting the Healthcare Consolidation Frenzy
- LifePoint Bolsters Presence in Michigan's Upper Peninsula
- Telehealth Improves Patient Care in ICUs
- CMS Sets 2014 Pay Rates for Hospital Outpatient and Physician Services
- Give Nurses in Wheelchairs a Chance