BlueCross BlueShield of Tennessee (BCBST) was the victim of a theft in 2009 when an intruder stole 57 hard drives which contained protected health information (PHI) of more than 1 million customers.  The information on the hard drives included names, Social Security Numbers, diagnosis codes, dates of birth, and health plan identification numbers.  Reports suggest that the information would be very difficult to extract from the hard drives and BlueCross BlueShield of Tennessee undertook great efforts and significant expense to identify their customers.  Indeed, over 800 people may have worked on the efforts to identify the customers.  After the incident, BCBST undertook efforts to encrypt all data at rest.

Still, BCBST entered into a resolution agreement (.pdf) on March 13, 2011, by which it agreed to pay $1.5M.  BCBST also entered into a corrective action plan (CAP) which sets out a period of compliance obligations and has a term of 450 days.  The CAP requires:

  • BCBST implement policies and procedures (to be reviewed by HHS) which require:

–  A risk assessment be performed to identify potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used, or transmitted on or off-site

–  A risk management plan be implemented to respond to the risks identified in the risk assessment;

–  Use of facility access controls and a facility security plan to limit access to areas where ePHI is located;

–  Physical safeguards governing the storage of electronic storage media containing ePHI;

  • Training on policies and procedures;
  • Random monitoring by BCBST’s Chief Privacy Officer for compliance with the policies;
  • Biannual reports to HHS over the CAP period describing compliance with policies and procedures, training efforts, and reportable events that occurred.

When dealing with regulators, such as OCR, keep these principles in mind:

  • Regulators expect transparency.
  • Your investigation should be prompt, thorough, and well documented.  If certain investigations are privileged, make certain that you assert that privilege.
  • A good attitude and cooperation send a message that the organization is committed to compliance and safeguarding PII, PHI, and ePHI.
  • Notification concerning a breach should be appropriate and prompt.
  • Know the root cause of the breach and address it through staff training, awareness programs, technical safeguards, and new policies/procedures/physical safeguards.
  • Provide customers with the appropriate level of mitigation or remediation measures.  Credit monitoring does not always address the risk to the customer.  Sometimes, it can be as simple as advising a patient to monitor its Explanation of Benefits (EOB) statements or telling a customer to file a report with a credit card company that his or her credit card number has potentiall been exposed.

Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said, “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”  The safeguard and training requirements of the CAP are very similar to requests for information we see from OCR following a reportable breach.  If a healthcare organization does not currently have the above risk management plans and safeguards in place, the warning sent as a result of this settlement is clear—make these compliance issues a priority before you have a reportable breach.