Recently, Blue Cross Blue Shield of Tennessee was fined $1.5 million dollars by the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to a data breach in which protected health information (PHI) was disclosed without authorization. In 2009, an intruder illegally accessed a Blue Cross building and took more than fifty computer hard drives containing unencrypted information on about 1 million Blue Cross members. According to published reports, the recent fine brought the total estimated costs related to this one breach to over $18 million. Furthermore, the company estimates over three hundred of its employees have worked at least part time on duties related to the breach. (That is what we call “opportunity cost.” When people are working on data breaches, they are not working on your business). Lastly, the insurance company was ordered to revise its privacy and security policies and regularly train employees on their responsibilities under HIPAA.
This is only the most recent HIPAA enforcement action as authorized under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act’ s new compliance requirements.
- In February 2011, the Department of Health and Human Services (HHS) imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for HIPAA violations
- Also in February of last year, HHS agreed to a $1 million settlement with Massachusetts General Hospital for similar violations.
Breach notification has become a significant factor in all privacy legislation. The changes to HIPAA under the HITECH amendments to the Social Security Act effective in February of 2010 require all HIPAA-covered entities (healthcare providers, payers or payment clearing houses) to notify affected individuals, and in some cases the media and HHS, of any breach involving PHI by those entities or possibly business associates thereof. These are unbudgeted costs that can no longer be sustained or swept under the rug for the majority of businesses, in any sector.
The HIPAA effective date is now almost ten years old. The Office of Civil Rights (OCR) was originally empowered with investigating and enforcing HIPAA Privacy and Security Rule Violations. However, enforcement actions under the law prior to HITECH for unauthorized use of PHI had been few and far between. Thus, and probably as a direct result of a lack of consistent enforcement, while HIPAA has been on the radar and in the healthcare lexicon, the level of effective implementation and compliance across the healthcare industry has been inconsistent at best.
But the game is changing with HITECH. Even though the HITECH changes have become effective over the past couple of years, as with any law, it takes a couple of years for mandates to go into effect and the results to be seen. The recent enforcement action in Tennessee proves it would do any healthcare Covered Entity or Business Associate to remind itself of the increases liabilities associated with using unsecured protected health information under this new compliance model.