The first enforcement action from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule has resulted in an agreement by Blue Cross Blue Shield of Tennessee (BCBST) to pay the Department of Health and Human Services (HHS) $1.5 million.
BCBST reported that unencrypted hard drives had been stolen from a leased storage facility in Tennessee. The hard drives contained personal health information of more than one million people, and included information such as social security numbers and dates of birth. An investigation discovered BCBST failed to ensure the facility had proper security measures in place as required by HIPAA rules. The settlement also requires BCBST to establish a corrective action plan to revise its security policies and conduct training.
The HITECH Breach Notification Rule requires HIPAA covered entities to promptly make notifications in the event of a breach that affects more than 500 individuals. The entity must notify each individual affected, the HHS Secretary, and the media. A breach of information affecting fewer than 500 individuals need only be reported to the HHS Secretary on an annual basis.
More information on the HITECH Breach Notification Rule can be found on the Department of Health and Human Services website.
HIPAA Privacy and Security Rules are enforced by the Health Human Services (HHS) Office for Civil Rights. HIPAA Security Rules establish requirements for how entities must secure and protect electronic health information, and ensure that it remains secure and protected.