When I wrote my new year’s predictions this year, I said that the number of HIPAA violations would decrease because folks had certainly learned something from last year.  Now, I have to admit that I was wrong.  Please see the latest information from our Compliance Officer, Paula Ciotti:

_____________________

Blue Cross Blue Shield of Tennessee (BCBST) agreed this week to a settlement with the Department of Health and Human Services (HHS) resulting from potential HIPAA violations.  This enforcement action is the first resulting from a data breach notification report as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) Data Breach Notification Rule that became effective on September 23, 2009.

BCBST submitted notice to HHS on November 3, 2009 that 57 hard drives were stolen.  These hard drives contained the electronic protected health information (ePHI) of over one million individuals. The Office for Civil Rights (OCR) began an investigation into the theft in January, 2010.

According to the terms of the Resolution Agreement, BCBST agreed to pay HHS $1,500,000 and agreed to a corrective action plan (CAP) to address gaps in its HIPAA compliance program.  The CAP includes the following:

• Written policies and procedures that include:

o    A risk assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used, or transmitted on or off-site;

o    A risk management plan that implements security measures sufficient to reduce risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level;

o    Facility access controls and a facility security plan to limit access to electronic information systems and facilities; and

o    Physical safeguards governing the storage of electronic storage media containing ePHI.

• Evidence that the policies and procedures have been distributed to all members of the workforce;
• Certification form from each member of the workforce that the member has read, understands, and shall abide by the policies and procedures;
• Evidence that all members of the workforce have been trained on the policies and procedures with each member certifying that they have received the required training;
• Following submission of the first biannual report, BCBST shall not involve any member of the workforce in activities involving ePHI without the member first completing the required training.

_____________________

BCBST was also compelled to hire a monitor to make sure that the above was done.  The monitor will also check the physician safeguards on the storage media and portable devices.

As Paula, points out, we all need to have a plan and act upon it.  Encryption is one aspect of the physical safeguards that folks have a hard time understanding, so we will deal with encryption in our next blog.

Written by Debi Warner, Clinical Librarian, Anthelio Healthcare Solutions