BCBS Settlement Details $17M in Corrective Actions

"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."

The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.

"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.

"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.

HITECH breach notification role
The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.

As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.

"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."

Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.