Security Issues
In the case, Blue Cross Blue Shield of Tennessee agreed to make a settlement of $1.5M to HHS for infringement of HIPPA. BCBST also agreed to make changes to its programs to be able to comply with HIPPA requirements and avoid future violations that could result in lawsuits. BCBST had reported that 57 hard drives had been stolen in Tennessee from a rented office which put the security and privacy of data stored at risk (HHS.gov, 2012).
From the case, it is evident that the hard drives stolen had crucial information of more than one million people. The drives had health data of people including their names, savings numbers, dates of conception, health plan numbers, and conclusion codes, which were supposed to be private. According to OCR, BCBST had failed to secure the data in the hard drives by failing to conduct a security assessment of the building as well as put the necessary measures to prevent possible access of information from the drives. Inadequate office access controls violated the security rule as provided by HIPPA. The failure by BCBST to protect the data is the reason why such a settlement was reached since there was a gross violation of privacy, confidentiality, and integrity of personal data (Mullen, 2012).
HIPPA Security requirements
Two security requirements could have prevented the security issue in question which led to BCBST making a settlement on the issues raised.
HIPAA Privacy Rule
This rule outlines the manner in which protected health information should be disclosed. The rule applies to health information that is not limited to electronic, oral, or written data. The requirements if followed should have prevented a possible threat to the privacy of information stolen from the drive.
HIPAA Security Rule
This rule applies to electronic health information and establishes security standards that provide adequate security to data. If the rule is implemented in organizations, the security of electronic data will be protected irrespective of all the threats to the information.
Analysis of the corrective actions
One of the corrective actions that can be termed to be efficient is the move by BCBST to make a settlement with HHS to cover all the potential costs that could arise in regard to the information contained in the drive. The company additionally incurred additional costs to recover ePHI data to the volume of 885 terabytes (Dimick, 2012). The company additionally took the imitative to implement necessary controls to prevent future cases of the same magnitude. Some of the measures taken include;
- Training its staff on safe handling of ePHI handling including access and transfer to restrict unauthorized access.
- Comply with all the provisions in regard to office access controls.
- Encrypting all ePHI to protect the security and privacy of all electronic data.
Analysis of security issues
The security issue is unauthorized access to health information, particularly in electronic form. The data in the drives could be easily accessed since the company had not put up efficient measures to protect the data. The company needs to implement some safeguards to protect it against security issues.
- BCBST needs to encrypt all the information in the drives as well as use password controls to prevent access in the event of theft.
- The company needs to adopt improved security controls to its offices including the use of fingerprint sensors to allow entry into the building.
References
Dimick, C. (2012). HHS settles HIPPA investigation for $1.5 million. Retrieved from http://www.journal.ahima.org/2012/03/22/hhs-settles-hipaa-investigation-for-1-5-million/
HHS.gov. (2012). HHS settles HIPAA case with BCBST for $1.5 million. Retrieved from http://www.hhs.gov/news/press/2012pres/03/20120313a.html
Mullen, W. (2012). Health Insurer’s Costly Privacy Breach Provides Guidance For Managing
HIPAA Risks Associated With Electronically Stored PHI.
