The Department of Health and Human Services (HHS) recently enforced the Health Information Technology for Economic and Clinical health (HITECH) Breach Notification Rule for the first time in a $1.5 million settlement.
If you would like to have a personalized conversation concerning the HITECH Breach Notification Rule, you can give us a call at (703) 683-9600 or click here to fill out our contact form.
Settling Healthcare Data Breaches
Blue Cross Blue Shield of Tennessee (BCBST) settled with HHS after the organization disclosed in a breach notification report that 57 unencrypted hard drives containing the protected health information (PHI) of over one million individuals were stolen from a BCBST facility in Tennessee. An investigation by the HHS Office for Civil Rights found that BCBST had not implemented adequate administrative and physical safeguards to ensure the security of PHI within the facility. Specifically, BCBST did not conduct a security evaluation of the leased facility in Tennessee prior to storing individuals’ PHI.
Under the settlement agreement, BCBST must review and update the organization’s HIPAA policies and procedures to improve the privacy and security of PHI. Further, BCBST must train all employees on HIPAA requirements and monitor the organization’s compliance with the corrective action plan. BCBST is also required to revise its facility access plans to deter future thefts of PHI.
The HHS Press Release on the HITECH Notification Settlement is available at:
The HHS Resolution Agreement can is available at:
Learn more about handling HIPAA and HITECH Act Compliance.
Department of Health and Human Services Office of Civil Rights. Resolution Agreement. 12 Mar. 2012.
Department of Health and Human Services. “HHS Settles HIPAA case with BCBST for $1.5 Million.” Press Release. 13 Mar. 2012.