The Office for Civil Rights has influenced its initial implementation operation arising from the HITECH Breach Notification Rule and has fined Blue Cross Blue Shield of Tennessee (BCBST) for abusing the Privacy and Security Rules of the HIPAA. BCBST has now arranged a settlement with the HHS and will pay $1.5 million for the security rupture for its potential HIPAA infringement.
The information rupture was one of the biggest at any point revealed, including the PHI of more than 1 million people. Significant patient data was uncovered including Social Security numbers, dates of birth, wellbeing design numbers, contact data and restorative analysis codes. The information was put away on 57 decoded hard drives which were stolen from its offices in Tennessee. Under the HIPAA Security Rule, human services associations must guarantee the suitable physical, specialized and authoritative shields. At the point when the OCR led its examination established that BCBST had not played it safe to ensure secret information and had not satisfied its commitments under HIPAA. Physical shields to forestall access to the equipment were lacking with poor access controls and an intensive security assessment had not been performed.
As per OCR Director, Leon Rodriguez, “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” He went ahead to state “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”BCBST had made a move to follow HIPAA controls preceding the break, there were various holes in its consistency program. Had these holes not existed the information break could have been maintained a strategic distance from, regardless of whether the robbery of organization property proved unable.
As a major aspect of the remedial activity design, BCBST has consented to audit its strategies and methodology and update them to consolidate extra protection and security controls. A program of staff preparing will likewise be led to guarantee all representatives know about their duties under HIPAA.