BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach
Friday, April 13, 2012
Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.
HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.
HHS disclosed in a news release:
"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."
The 450-day corrective action plan requires BCBST to:
- Review, revise, and maintain its Privacy and Security policies and procedures,
- Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
- Perform monitor reviews to ensure BCBST compliance with the corrective action plan.
Comments
You can follow this conversation by subscribing to the comment feed for this post.