A New Era of Enforcement?BCBS of Tenn. Case Could Be Turning Point
Since last September, when he took over as director of the Department of Health and Human Services' Office for Civil Rights, Leon Rodriguez has touted his plans for stepped-up enforcement of the HIPAA privacy, security and breach notification rules. The recent news that BlueCross and BlueShield of Tennessee paid a $1.5 million penalty following a massive breach incident could signal the start of new era of enforcement at OCR.
OCR entered the settlement with the health insurer as a result of an October 2009 breach. In announcing the settlement, Rodriguez stressed that it was the first enforcement action resulting directly from a self-reported breach in compliance with the HIPAA breach notification rule mandated under the HITECH Act. The Blues plan's breach occurred just a few weeks after the rule took effect. In fact, it was the first huge healthcare breach to draw headlines following the September effective date of the rule.
The more cases that involve paying millions of dollars in penalties, the easier it will be for security professionals to win support for breach-prevention investments.
So now what? Well, because the Blues plan breach was among the earliest reported, I expect we'll see sanctions in a number of other high-profile breach cases listed on OCR's "wall of shame" that lists breaches affecting 500 or more individuals.
I'm betting some future settlements will include significantly higher penalties than what the Tennessee health plan paid. That's because the health plan made some good moves in the wake of the breach that, I suspect, may have led to a lower penalty.
BlueCross and BlueShield of Tennessee posted frequent, detailed updates on its website about the breach, which affected 1 million. It offered credit protection to many of those affected. And health plan executives also talked frankly about lessons learned in the wake of the breach. In a 2010 interview with me, they discussed such steps as appointing a chief security officer and adding a layer of physical security to servers (see: BCBS of Tenn. Breach: Lessons Learned). And in a 2011 interview, executives described the encryption of all stored data in the aftermath of the breach (see: BCBS of Tenn Encrypts All Stored Data).
But, as OCR reported, the Blues plan clearly failed to take some very basic steps to protect patient information, which led to the breach. And for that, a penalty was long overdue.
The breach involved the theft of 57 unencrypted computer hard drives from a leased call-center facility that had recently closed. OCR's investigation determined the health plan "failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the settlement announcement. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls."
In addition to the $1.5 million payment, the insurer must carry out a 450-day "corrective action plan," which requires, among other things, regularly revising and maintaining its privacy and security policies and procedures.
More Penalties to Come?
I suspect that some other major breaches will result in higher penalties because the organizations involved failed to take as many post-breach steps - including hefty investments in security technologies - as the Tennessee plan. And I'm betting that we'll see a number of settlement announcements from Rodriguez' office in the weeks ahead. I sure hope so.
A powerful way to spread the word about the importance of breach prevention is to publicize costly settlements with organizations that failed to take adequate steps to protect patient data. The more cases that involve paying millions of dollars in penalties, the easier it will be for security professionals to win support for breach-prevention investments.
Another catalyst for breach prevention is OCR's ongoing HIPAA compliance audit program. After this year, that program will need a new source of funding to continue. Some of the money reaped from HIPAA enforcement efforts can help pay for more audits and other enforcement activity, while a portion of the funds must be used to compensate breach victims, according to the HITECH Act (see: Fewer than 150 HIPAA Audits Expected.)
In addition to the $1.5 million penalty, BlueCross BlueShield of Tennessee estimates it has spent nearly $17 million on breach investigation and notification expenses as well as new data protection efforts. That's a high price, to be sure.
So if your organization's senior leaders have been reluctant to back new investments in information security, be sure to educate them about the potential costs of failing to act.