HIPAA enforcement has been so intense lately that we are talking about it twice in a row in the Compliance Update. Last month we talked about how the HITECH Act of 2009 increased maximum civil penalties for violations of the Privacy and Security Rules, to $50,000 per violation, with a maximum of $1.5 Million per year. Today we are going to talk about the first settlement to arise from a report made under HITECH's Breach Notification Rule, which requires covered entities to notify individuals and the Office of Civil Rights (OCR) if unsecured Protected Health Information (PHI) is improperly disclosed.
On March 13, 2012, OCR announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 Million to settle allegations that it violated HIPAA when 57 hard drives containing unencrypted PHI for more than 1,000,000 individuals were stolen from a data closet. There was noindication that the data had been misused or any patients had been harmed.
As required under the Breach Notification Rule, BCBST notified OCR of the missing hard drives (the "breach"), which prompted HHS to conduct an investigation. OCR found that BCBST did not have required HIPAA Security Rule safeguards: BCBST did not have appropriate administrative safeguards to protect PHI because it did not perform a security evaluation in response to operational changes; and BSBST did not have adequate physical safeguards because it did not have sufficient facility access controls.
It could have been worse
Last year OCR imposed a $4.3 Million penalty on Cignet Health for denying 41 patients access to their medical records, and refusing to cooperate with OCR. Why did Cignet, whose HIPAA violations only involved 41 patients, receive a $4.3 Million fine, but BCBST, whose violation involved more than 1,000,000 patients, paid $1.5 Million--less than half that amount? Cignet received a $3 Million penalty for failing to cooperate with OCR. By detecting and reporting the incident to OCR, as required by HITECH's Breach Notification Rule, and working with OCR to correct the problem, BCBST avoided additional penalties.
The government is serious... be prepared
OCR Director Leon Rodriguez said the BCBST settlement "sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program."
Health care providers are required to comply with the HIPAA Privacy and Security Rules, and should have policies, procedures and forms in place addressing these rules. As indicated by the BCBST settlement, it is also crucial to comply with the HITECH Breach Notification Rule. If a breach does occur, penalties can be reduced if notification procedures are promptly followed.
Here are some tips to help you get started:
- Make sure your HIPAA policies and procedures have been updated to include breach notification. MPA recommends creating a breach notification decision tree to help your staff identify if a breach has occurred, and if notification is required (and by what methods).
- Prepare drafts of notification letters to individuals, soyou may promptly comply with the notification requirement, if necessary.
- Train your personnel to detect and report breaches.
- Review your security program to see if you are maximizing your efforts to prevent breaches.
- Conduct periodic audits to determine if your HIPAA Privacy, Security and Breach Notification policies are being followed.
To learn more about how your compliance program can help you avoid HIPAA and other penalties, see MPA's HIPAA Guidance page