HIPAA Violation Leads to $1.5M Fine: 5 Takeaways for Businesses

In November 2009, 57 unencrypted computer hard discs containing protected health information of more than one million people were stolen from a storage locker leased by Blue Cross Blue Shield of Tennessee (BCBST). Recently, the Department of Health and Human Services entered into a $1.5 million settlement with BCBST over privacy and security violations as a consequence of that data breach.

The sanctions represent the government’s first enforcement action against an entity that voluntarily filed a breach report under the terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act. For your reference, five takeaways from the settlement:

1. Think your data is secured? So did Blue Cross Blue Shield of Tennessee:

“HHS concluded, based on its investigation, that BCBST failed to implement appropriate administrative safeguards to adequately protect the information at the leased facility because it did not perform the required security evaluation in response to operational changes. The information, however, was stored in a leased data closet secured by biometric and keycard scan security and in a building with additional security provided by the facility owner.” (HHS and BCBST Settle HIPAA Case for $1.5 Million by King & Spalding) 

2. The fine was just a portion of the financial cost of the breach:

“According to the Nashville Business Journal, BCBST reported that it has spent nearly $17 million in investigation, notification and protection efforts.   Thus, even though privacy class actions typically falter for inability to prove recoverable damages, the BCBST case demonstrates that data breaches can still result in substantial administrative fines and remediation costs.” (The Cost of HIPAA Non-Compliance – $17 Million – UPDATE by Mintz Levin) 

3. The total cost of a violation can be far greater than money:

“In addition to paying a penalty of $1.5 million, BlueCross agreed to a corrective action plan that requires it to, among other things, submit its HIPAA privacy and security policies and procedures to HHS for review and approval, distribute the policies and procedures to all members of its workforce who have access to PHI, report violations of the policies and procedures by members of the workforce to HHS within 30 days, train all current workforce members on the approved policies and procedures and all new workforce members within 40 days of hire, and submit to unannounced site visits.” (HIPAA/HITECH Enforcement Action Alert by Morgan Lewis) 

4. HIPPA compliance isn’t just a healthcare provider problem:

“For employers (and service providers that support entities covered by HIPAA as business associates), this development is significant because it shows that the healthcare system, which is driven largely by employer-sponsored plans, has become a significant priority for regulators, including with regard to healthcare privacy and data security. In addition, a number of new laws and regulations that trigger additional risks have emerged for group health plans in recent years.” ($1.5 Million Settlement after HIPAA Security Incident Results in More Than $17 Million in Investigation and Remediation Costs by Wilson Sonsini Goodrich & Rosati) 

5. There’s no time like the present to review policies and procedures for compliance:

“… it is never too early for covered entities and their business associates to evaluate and improve internal HIPAA compliance processes.  BCBST was the first, but there are bound to be more enforcement actions related to disclosures under the [HITECH Breach Notification] Rule, and every organization can benefit from a comprehensive HIPAA/HITECH checkup.” (HHS OCR Announces First Settlement of a Self-Reported HIPAA Violation by Mintz Levin) 


Find additional Health Law updates on JD Supra»