HIPAA compliance 101—policies, training, monitoring, and risk assessments—might have saved Blue Cross Blue Shield of Tennessee (BCBST) millions, experts say.
Instead, the health insurer agreed to a $1.5 million settlement with the Office for Civil Rights over potential HIPAA security violations and spent another $17 million in breach response costs.
On March 13, BCBST and the OCR, the government's HIPAA privacy and security enforcer, reached the second largest financial settlement of its kind, behind CVS Caremark's $2.25 million price tag a little more than three years ago.
The agreement also requires BCBST to update its HIPAA compliance policies and procedures, obtain OCR approval on all policy changes, and conduct unannounced random audits of its own employees.
This is OCR's first enforcement action related to a breach that was reported per the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements, according to the Department of Health & Human Services.
'Not following the basics'
In the fall of 2009, BCBST reported to OCR that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The hard drives contained protected health information (PHI) for more than one million individuals, including member names, Social Security numbers, diagnosis codes, birthdates, and health plan identification numbers.
"This breach seems to be another instance of not following the basics—policies, training, monitoring," says Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY. "When organizations include privacy and security as key components of their culture and begin applying similar methods to those used in safety and quality programs, the awareness of these issues increases. A well-trained workforce is a tremendous asset in preventing many breaches, especially breaches of this type."
In a statement released to HCPro, Inc., BCBST said the stolen hard drives were located in a data storage closet at a former Blue Cross call center located in Chattanooga. They contained audio and video recordings related to customer service telephone calls from providers and members. Patrick says this type of breach can happen in many environments and probably happens more often than is currently reported.
The Evaluation Standard in the HIPAA Security Rule [§164.308(a)(8)]) calls for HIPAA covered entities (CE) to "perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information."
CEs seem to overlook this requirement, Patrick says, and must ensure they meet appropriate safeguards when they:
- Move data files and tapes to another facility
- Implement a new information system
- Change access controls
- Change off-site storage companies or procedures
"BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS press release. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says CEs must not only review HIPAA security standards but also those by the National Institute of Standards and Technology.
"What can entities do to prevent this from happening? Security risk analysis should be the first order of business, if covered entities haven't done this in the past year," Boggan says. "Review past risk analyses and make sure all problem areas have been addressed. The one thing you might think is unimportant could turn out to be the most important issue you have to address."
To date, there is no indication of any misuse of personal data from the stolen hard drives, according to BCBST. The company's response included the encryption of all its at-rest data as well as investigation, notification, and protection efforts—to the tune of $17 million, according to its statement. That amounts to about $17 per breached record.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in the statement to HCPro, Inc.
Message in the CAP
In addition to the settlement, BCBST must adhere to its corrective action plan (CAP), which states that the health insurer must:
- Review, revise, and maintain its privacy and security policies and procedures
- Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA
- Perform and monitor reviews to ensure BCBST compliance with the CAP
BCBST must also conduct unannounced audits of BCBST facilities housing portable devices and audit 25 BCBST workforce members who use portable devices.
"That's really something I have not seen before," says Ali Pabrai, MSEE, CISSP, chief executive of ecfirst, home of The HIPAA Academy. "They are making them randomly audit their facilities that house portable devices. The fact they are saying it should be done randomly and unannounced shows they are serious about this."
The interim final rule on breach notification went into effect in August of 2009, only months before the BCBST breach. Pabrai says entities should take note that OCR is willing to go back years to investigate breaches.
"Go back and get as much detail as you can on your security incidents," Pabrai says. "You've got to be ready for this. Ensure your policies and procedures for breach and incident management are updated and aligned. Communicate policies effectively to your workforce."
The CAP agreement emphasizes the need to ensure policies and procedures are updated, and that workforce members are trained on the same, Pabrai says.
"Emphasize the sanctions policy with scenarios to reinforce key policies," Pabrai says, adding that CEs should also perform regular risk analysis activities and have an active risk management program.
"The bottom line as a result of this OCR action is that organizations are responsible for establishing and driving a carefully designed, delivered, and monitored HIPAA compliance program," he says.
HITECH breach notification role
The new HITECH requirement to report large patient information breaches to OCR helped bring the BCBST breach to light, an OCR spokesperson wrote in a March 13 e-mail to HCPro, Inc. OCR investigates all reported breaches of 500 or more; it forwards the smaller ones off to its regional offices throughout the United States, the spokesperson said.
As of March 14, the website lists 400 entities reporting breaches of unsecured PHI affecting 500 or more individuals. BCBST has the sixth largest breach.
"Pre-HITECH, a patient may have learned about an impermissible disclosure through a request for accounting of disclosures or if state law required notification," the spokesperson wrote. "The individual could have then filed a complaint with OCR. This case underscores the important utility of the breach reporting notification to bring these incidents to light."
Kate Borten, CISSP, CISM, president of The Marblehead Group, says she's "disappointed" a breach that occurred in the fall of 2009 is just now being settled.
"I would think that self-reported breaches of PHI would be a high priority for HHS to investigate and act on," Borten says. "Otherwise, how much value is there in the reporting requirement? Further, even though a breach occurred, this is still identified as a 'settlement of a potential violation,' not a finding of fault, although the penalty is in line with the HITECH Act civil penalties. How much clearer could this be?"
Asked why it took this long to settle the BCBST case, the OCR spokesperson said, "As one can see from OCR's list of breaches over 500, many of these cases have been resolved quickly through corrective action. More complex cases take time to move from investigation to resolution."
LARGEST SETTLEMENTS TO DATE
The OCR's largest settlements for HIPAA violations include:
- CVS Caremark Co.: $2.25 million, February 2009
- Blue Cross Blue Shield of Tennessee: $1.5 million, March 13, 2012
- Rite Aid: $1 million, July 2010
- Massachusetts General Hospital: $1 million, February 2011
- University of California at Los Angeles Health System: $865,500, July 2011
Note that in February of 2011, OCR fined Cignet Health a $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.
Editor's note: Follow these links for more material on the BCBST settlement with OCR:
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.