BCBS Settlement Details $17M in Corrective Actions
"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."
The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.
"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.
"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.
HITECH breach notification role
The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.
As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.
"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."
Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.
- Patient Harm Data to Remain on Medicare's Hospital Compare Site
- Quiet ORs Better for Patient Safety
- Tavenner Confirmed as CMS Administrator
- CMS Seeks to 'Rapidly Reduce' Medicare Spending with $1B in Grants
- Leapfrog Hospital Safety Scores 'Depressing'
- Building a Better Healthcare Board
- Hard-Nosed About Physician Teamwork
- Case Study: Advance Care Conversations
- Healthcare Leaders Sound Off on Organized Labor
- CMS Releases Hospital Pricing Data