Tennessee Blue Cross settles HIPAA case for $1.5M

Justine Varieur Cadet | | Health Imaging | Economics
merger, acquisition, money, handshake - 113.76 Kb
Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA privacy and security rules.

BCBST also has agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act breach notification rule.

The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of more than one million individuals, including member names, social security numbers, diagnosis codes, dates of birth and health plan identification numbers.

The investigation of the Office for Civil Rights (OCR) indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA security rule.

In addition to the $1.5 million settlement, the agreement requires BCBST to review, revise and maintain its privacy and security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

HHS' OCR enforces the HIPAA privacy and security rules. The HIPAA privacy rule gives individuals rights over their PHI and sets rules and limits on who can look at and receive that health information. The HIPAA security rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical and administrative safeguards to ensure that electronic PHI remains private and secure.

The HITECH breach notification rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Justine Varieur Cadet

Related Content

‘A huge win’: CMS significantly increases Medicare payments for cardiac CT
A closer look at how FDA's flurpiridaz approval will impact nuclear cardiology
Cath lab techs and nurses see new normal with post-COVID pay
SpectraWAVE raises $50M for FDA-cleared intravascular imaging technology
CMS could increase CCTA payments—the American College of Cardiology wants to help
Challenges to the financial stability of the American healthcare system

Around the web

Cardiovascular Business
Global shortage of nuclear imaging isotopes may be over

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

Cardiovascular Business
‘A huge win’: CMS significantly increases Medicare payments for cardiac CT

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.

Cardiovascular Business
FDA clears AI tool that flags signs of heart disease in chest CT scans

The newly cleared offering, AutoChamber, was designed with opportunistic screening in mind. It can evaluate many different kinds of CT images, including those originally gathered to screen patients for lung cancer. 

Design by Adaptive Theme
Trimed Popup
Trimed Popup