On March 13, 2012, the U.S. Department of Health and Human Services (HHS) issued a news release publicizing its settlement with BlueCross BlueShield of Tennessee (BCBS) for $1.5 Million. This settlement resulted from a HIPAA enforcement action commenced after BCBS reported the theft of 57 unencrypted computer hard drives containing protected health information (ePHI).  BCBS also agreed to a “Corrective Action Plan” to bring their HIPAA compliance program up to regulatory standards.  The implementation of revised Privacy and Security policies will be monitored as a condition of the settlement.  If BCBS fails to follow the Corrective Action Plan, then pursuant to the Resolution Agreement, HHS may impose a civil money penalty for HIPAA violations.

A brief look at the Corrective Action Plan is useful for any entity required to comply with HIPAA because it is far better to meet compliance standards voluntarily and in a way which HHS expects:

• Update HIPAA policies and procedures including conducting risk assessment of vulnerabilities and implementation of reasonable risk management plan, which includes physical safeguards and facility access controls;
• Distribute HIPAA policies and procedures to all workforce members having access to ePHI. Have them certify that they have read, understand, and shall abide by these policies and procedures, and do not permit access to ePHI without this certification; and
• Train all members of workforce with access to ePHI as well as new workforce members within 30 days of beginning service. Maintain records of training certification and of training materials.

Ultimately each entity is responsible to comply with HIPAA Privacy and Security regulations in a manner which addresses the particular risks and vulnerabilities of the individual entity.