The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.
The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.