Blue Cross Blue Shield of Tennessee has agreed to pay the U.S. Department of Health and Human Services $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules. The insurance company has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health Act Breach Notification Rule.

The investigation followed a report that 57 unencrypted computer hard drives were stolen from the company’s leased facility in Tennessee. The drives contained the protected health information of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. The HHS Office for Civil Rights investigation indicated that the company failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

In addition to the $1,500,000 settlement, the agreement requires the company to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure its compliance with the corrective action plan.

The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.