Issued in August 2009, the Breach Notification Rule requires covered entities under HIPAA to report certain breaches to OCR. Although there have been a number of settlements arising from alleged HIPAA violations based on complaints to OCR, this is the first sign of OCR’s approach to enforcement based on self-reports of breaches by covered entities. According to OCR, the HIPAA breach notification requirements are an important tool in its enforcement strategy, which also includes HIPAA compliance audits and training state attorneys general and their staffs to use their new authority under the HITECH Act to enforce the HIPAA Privacy and Security Rules in civil actions.
OCR Investigation Shows BCBST Failed to Comply With HIPAA Safeguards
BCBST had self-reported the potential breach of privacy arising from the theft of 57 hard drives from a network data closet in a leased facility that had been vacated by all BCBST staff. The hard drives, which were encoded but unencrypted, stored more than 300,000 video recordings and one million audio recordings, which stored the protected health information (PHI) of about one million individuals. OCR’s investigation indicated that BCBST had not implemented appropriate administrative physical safeguards to adequately protect the information in that: 1) it did not perform the required security evaluation in response to operational changes, and 2) it failed to implement appropriate physical safeguards by not having adequate facility access controls. In response to the theft, BCBST undertook a $6 million effort to encrypt all at-rest data throughout its enterprise, which was reported to be successfully completed in July 2011.
In addition to paying the $1.5 million settlement, BCBST entered into a CAP with HHS, which requires BCBST to create adequate policies and procedures addressing risk assessment, risk management, and physical security, and to increase training of employees and monitoring of their compliance with BCBST HIPAA policies.
Practical Advice for Covered Entities
In light of OCR’s recent enforcement actions, covered entities should consider the following:
Conclusion and Implications
The number of OCR investigations that have resulted in corrective action has nearly doubled since 2003. OCR’s Resolution Agreement with BCBST may foreshadow more vigorous enforcement of the HIPAA privacy and security rules. Covered entities should examine their current HIPAA policies and practices to verify that the entity’s operations are current and consistent with the recent legal changes. For businesses subject to these rules, collaboration with health care counsel knowledgeable about HIPAA is an important step in protecting against enforcement exposure and helping ensure compliance.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
M. Leeann Habte
Los Angeles, California
R. Michael Scarano, Jr.
San Diego, California
Peter F. McLaughlin
The authors wish to acknowledge the significant contribution of Law Graduate Danna Carmi to this article.