The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue
Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.
The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative
safeguards to adequately protect information remaining at the leased
facility by not performing the required security evaluation in response
to operational changes. In addition, the investigation showed a failure
to implement appropriate physical safeguards by not having adequate
facility access controls; both of these safeguards are required by the
HIPAA Security Rule.
For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.
Keeping an eye on health care law trends. Thoughts and comments on the health care industry, privacy, security, technology and other odds and ends. Actively posting from 2004-2012 and now "restarted" in response to the COVID-19 Pandemic as a source for health care and legal information.
Showing posts with label breach. Show all posts
Showing posts with label breach. Show all posts
Wednesday, March 14, 2012
Friday, July 08, 2011
University of California Settles Potential HIPAA Privacy and Security Violations with OCR for $865,500
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that the University of California at Los Angeles Health System which includes UCLA Ronald Reagan Medical Center, UCLA Santa Monica Medical Center, and Orthopedic Hospital, Resnick Neuropsychiatric Hospital, and the Faculty Practice Group of UCLA (UCLAHS) has agreed to settle potential violations under the HIPAA Privacy and Security Rules for $865,500. Read the OCR press release.
The settlement highlights that hospitals, physicians, and other covered entities must understand the importance of monitoring the level of access workforce members have to medical and health information. Covered entities must have policies and procedures in place and educate workforce members about only accessing records for necessary and permissible purposes. This settlement resulted from an investigation by OCR after certain celebrity/VIP patients at the UCLA facilities complained that hospital staff, including unauthorized physicians, had inappropriately accessed their health and medical information.
UCLAHS agreed to a Corrective Action Plan for a period of three years under the terms of the Resolution Agreement. The Corrective Action Plan requires UCLAHS to review/update its current HIPAA policies and procedures, conduct follow up workforce training, monitor compliance and submit a monitoring plan, and submit an implementation report and annual reports to OCR. of can be found attached to the Resolution Agreement.
The Resolution Agreement described the events that occurred that lead to the settlement as follows:
The settlement highlights that hospitals, physicians, and other covered entities must understand the importance of monitoring the level of access workforce members have to medical and health information. Covered entities must have policies and procedures in place and educate workforce members about only accessing records for necessary and permissible purposes. This settlement resulted from an investigation by OCR after certain celebrity/VIP patients at the UCLA facilities complained that hospital staff, including unauthorized physicians, had inappropriately accessed their health and medical information.
UCLAHS agreed to a Corrective Action Plan for a period of three years under the terms of the Resolution Agreement. The Corrective Action Plan requires UCLAHS to review/update its current HIPAA policies and procedures, conduct follow up workforce training, monitor compliance and submit a monitoring plan, and submit an implementation report and annual reports to OCR. of can be found attached to the Resolution Agreement.
The Resolution Agreement described the events that occurred that lead to the settlement as follows:
On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):
(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.More information and background can be found in the iHealthBeat article, UCLA Health System Agrees to Pay $865K over Privacy Breaches, including a link to a statement on the settlement issued by UCLH Health System.
(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.
(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Security Rule training for all members of its workforce to carry out their function within the Covered Entity.
(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.
(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.
Subscribe to:
Posts (Atom)