BCBST HIPAA Violation Case Analysis

The Blue Cross Blue Shield of Tennessee settled for $1.5 million on a HIPAA breach of privacy case. The HHS website outlines the particulars of this case. There were 57 unencrypted hard drives that were stolen from a facility. These contained personal health care information on over 1 million individuals, so the fine was like a buck fifty per person, and was probably less than it would have cost the company to properly secure that information.
Nevertheless, the case highlights a few different things that the company could have done differently in order to follow HIPAA rules. The first is that the data was being held in a leased space, one that apparently was not particularly secure. The company could have held the hard drives in a facility that it owned, over which is had more control over the security procedures. In that situation, it would make sense that the company had access controls to the facilities. With a leased space, the owner of the building has a certain degree of access, therefore there is greater risk of a breach. In this instance, the owner of the building – or the management company – was actually in charge of security, and they may not have known about proper HIPAA procedures for storing sensitive health information. Furthermore, the BCBST did not have as much visibility into security of the data.
Furthermore, the files were on the hard drives and all the hard drives were stored in one place. Mitigating damages could have been done if the files were kept in multiple locations – in the event of a breach, far fewer people would have their information compromised. Making matters worse in this case, the company had vacated most of the premises in question, except for the closet where the network hardware was kept. As such, there was almost no staff visibility into the hardware on which the data was stored. This makes it easier to steal, and in this case the theft was not noticed for 3 days, in part a result of having the storage in a location away from the where the staff actually worked.
The lack of encryption is one of the most important aspects of this case. Hard drives containing sensitive personal health information should be stored on encrypted files. This way, even if the hard drives fall into the wrong hands, the information is not easily accessed. You obviously want to prevent the hard drives from being stolen in the first place, but you also have to ensure that data is encrypted so if anything does happen, there is that additional barrier protecting individuals' protected health information.
The company did not admit to any wrongdoing, but HIPAA requirements include establishing a chain of trust, if there are any third parties responsible for the security of health data. It is not known at this point if there was such an agreement with Eastgate, the management company that was responsible for securing the facilities. Such an agreement would need to specify what the company had to do in order to meet HIPAA requirements, and because Eastgate would be acting on behalf of BCBST to provide this security, and would have to meet those standards. It is the role of BCBST to ensure that its partners meet this standard.
Part of the corrective action plan refers to training, which indicates that there were training issues. Management at BCBST clearly were negligent in their duties, and the company is responsible for ensuring that its employees are aware of their regulatory requirements. This training would put the managers in a position to succeed, because they know what their obligations are, in particular there were obligations that were not met in this case, and training might have been one of the reasons that the company did a poor job of securing this data. Anybody with any responsibility for health records must be aware of their responsibilities, and the rules.
PowerPoint Slides:
Slide 1: Overview of the BCBST Case
Data stored on unencrypted hard drives
Hard drives were in a closet
Security provided by building management
Rest of the office had moved
Hard drives were stolen

Slide 2: HIPAA Violations
Lack of chain of trust
Poor knowledge of safeguards
Inadequate training of BCBST management
Lack of encryption

Slide 3: Administrative Remedies
Better training of security needs
Ensuring that third party security company knows its requirements
Establishing chain of trust
Better documentation of security practices.

Slide 4: Technical Remedies
Encryption on sensitive personal health information
Do not store information on just one hard drive
Ensure that information cannot be accessed even if it is stolen

Slide 5: Physical
Biometric security
Store hard drives at a BCBST site
Store data on hard drives in multiple sites
Regular security checks

Slide 6: Conclusions
BCBST did not admit wrongdoing
There were clearly errors, or areas for improvement
Management training would eliminate many errors
Good learning opportunity

References

HHS.gov (2018) HHS settles HIPAA case with BCBST for $1.5 million. Department of Health and Human Services. Retrieved January 13, 2018 from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/BCBST/index.html

HHS.gov (2018) Resolution agreement. Retrieved January 13, 2018 from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf