Earlier this month, the Department of Health and Human Services (HHS) entered into a $1.5 million settlement with BlueCross BlueShield of Tennessee to settle healthcare information privacy and security violations under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). BlueCross had self-reported the underlying incident under HIPAA’s requirements, and incurred more than $17 million in direct expenses relating to its investigation and remediation of the incident. The HHS investigators faulted BlueCross BlueShield for failing to implement appropriate administrative safeguards to protect information by storing protected health information on unencrypted computer hard drives. Under the settlement, BlueCross BlueShield also agreed to review and revise its healthcare information privacy and security policies, and to train employees regularly for HIPAA compliance.
This settlement represents a continuing trend of dramatically increased HIPAA enforcement activity with escalating fines, dramatic increases in investigatory and remediation expenses, and parallel enforcement by states. The BlueCross matter is equally significant because it is the first settlement resulting from the notification of a security incident to HHS under its breach-notification rules.
Please see full publication below for more information.