$1.5M Fine Marks A New Era In HITECH Enforcement
Data breach at BlueCross BlueShield of Tennessee, and subsequent penalty, stands as example of financial fallout from poor healthcare IT security practices
Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first to pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.
"It's certainly a warning shot for the healthcare industry," says John Nicholson, a Washington, D.C.-based counsel for the global sourcing practice at law firm Pillsbury Winthrop Shaw Pittman LLP. "But is that a sufficient amount to act as a deterrent? It's hard to tell at this point. It's at the upper end of what organizations can be penalized [for], and when you break it down, it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that's just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, 'Eh, it's another one.'"
But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn't been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA) security requirements changes that financial equation for these organizations, he says.
"What I'm seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically been to allocate funds to get that new EMR in-house or that new clinical system, because that’s going to pay off in revenue," he says. "But when it comes to making sure HIPAA requirements are up to date, that's usually the last line item on the budget because it's really a sunk cost. Now they're going to have to look at the risk involved and wonder, 'Do I risk having a million-dollar lawsuit if I don't put the right security protocols in place?'"
The settlement BlueCross BlueShield of Tennessee paid to HHS was a penalty for failing to prevent a breach that saw the theft of 57 unencrypted hard drives containing recordings of customer service phone calls. The drives were left behind in a data closet after the company stopped using a leased facility.
"This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," said Leon Rodriguez, director of HHS OCR. "The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients' right to private and secure health information."
According to Nicholson, the breach is a good lesson to healthcare organizations on how compliance really could have helped the security of the organization and maybe even prevented a breach. "One of the things that HIPAA and HITECH require is that you go through an assessment of your policies and procedures whenever your operations significantly change. I don't know for sure, but it seems like BlueCross BlueShield of Tennessee may not have done that evaluation. If they had done it, they might have said, 'We've got these hard drives containing this unencrypted PHI and it's in a locked closet, but that's not sufficient in this leased space,'" he says. "That's probably a lesson to healthcare organizations. You really need to do those evaluations anytime a significant aspect of your operation changes that has implications on PHI."
For his part, Ranajee says the BlueCross BlueShield of Tennessee incident stands as yet another testament of the importance of encryption for healthcare data protection.
"Really, it's all about making sure that if you have data servers in your office or workplace, they need to be locked down--they need two locks on them -- and they need to be encrypted," he says. "Those are two of the main things that are not commonplace, but they should be."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like