Finding the Messages to Employers in $1.5M HIPAA Settlement

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

To resolve HHS’s investigation, BCBST agreed not only to pay $1.5 million but also to enter into a corrective action plan (CAP). The CAP requires BCBST to do the following: (a) conduct a risk assessment and engage in a risk management process with respect to electronic PHI (ePHI) in BCBST’s possession; (b) develop facility access controls and a facility security plan to safeguard information systems and equipment containing ePHI; (c) develop physical safeguards for electronic storage media containing ePHI; (d) train all workforce members with access to ePHI in the policies and procedures embodying items (a) through (c); (e) monitor compliance with the policies and procedures; and (f) report to HHS concerning compliance with the CAP.

Employers can draw several lessons from this incident and its resolution:

First, to date, HHS’s monetary settlements with covered entities have focused on health care providers, such as hospitals and pharmacies. This is the first monetary settlement of which we are aware involving a covered health plan. Insurers and self-insured employers offering HIPAA-covered benefits should take note.

Second, this is the first monetary settlement triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act. It is critical for employers with HIPAA-covered plans, as well as other covered entities, to recognize that notifying HHS of a security breach in accordance with the HITECH Act could trigger an investigation into the circumstances underlying the breach and could ultimately result in an enforcement action.

Third, the underlying incident involved the theft of unencrypted hard drives. Had those hard drives been encrypted, BCBST would not have had an obligation to notify HHS of the theft. In other words, the Resolution Agreement highlights the importance of considering the feasibility of encrypting any movable storage media which contain ePHI.

Finally, HHS seems to have set a fairly high standard for adequate physical safeguards. The Resolution Agreement suggests that BCBST had in place fairly robust physical security for the stored hard drives, including “biometric and keycard scan security with a magnetic lock and an additional door with a key card lock” in addition to building security. HHS, nonetheless, appears to have taken the position that this security was inadequate. Consequently, the Resolution Agreement emphasizes the need for covered entities to pay as close attention to physical safeguards for ePHI as they do to administrative and technical safeguards.

Photo credit: MBPHOTO, Inc.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.