In the first settlement of its kind under the Health Information Technology for Economic and Clinical Health Act (HITECH), BlueCross BlueShield of Tennessee recently agreed to pay the U.S. Department of Health and Human Services $1.5 million as a result of a 2009 data breach.

The case stemmed from the theft of 57 unencrypted computer hard drives from a former BlueCross call center in Chattanooga. The drives contained the protected health information (PHI) of more than 1 million BlueCross customers, including names, Social Security numbers, diagnosis codes, dates of birth, and health plan ID numbers.

Under the HITECH provisions of the Health Insurance Portability and Accountability Act (HIPAA), covered entities must promptly report data breaches affecting 500 individuals or more to HHS and the media, as well as to the affected individuals. The insurer reported the theft to HHS as required in the fall of 2009 and has spent nearly $17 million in investigation, notification, and protection efforts since then. HHS began its investigation soon after receiving notification of the breach.

As part of the settlement regarding the underlying breach, the company agreed to a 450-day corrective action plan to remedy its HIPAA compliance program. Under the plan, BlueCross must review, revise, and maintain its privacy and security policies and procedures, regularly conduct HIPAA/HITECH training for its employees, and monitor and report on its own adherence to the corrective action plan.

Though the settlement is the first relating to HITECH’s breach reporting requirements, there likely are more enforcement actions in the pipeline. Since launching its breach notification website in February 2010 as required by HITECH, HHS has received, on average, 17 breach reports each month. Six of those reports involved breaches involving PHI of more than one million patients. HHS has initiated audits on many (if not all) of the significant reported breaches to date and we anticipate further enforcement action settlements to follow.

While HIPAA provides legal requirements for how entities must handle some data breaches, there are numerous other state and federal laws that also may be applicable. More important, implementation of appropriate security measures can greatly reduce the risk of security breaches and can enhance the negotiating position in responding to governmental authorities if a breach occurs. Ballard Spahr attorneys in the Privacy and Data Security Group and the Health Care Reform Initiative are prepared to advise clients on appropriate security measures and compliance with the applicable privacy breach notification procedures.

For more information, please contact Privacy and Data Security Practice Leader Beth Moskow-Schnoll at 302.252.4447 or; Health Care Reform Initiative Leader Jean C. Hemphill at 215.864.8539 or; Edward I. Leeds at 215.864.8419 or; or the Ballard Spahr attorney with whom you work.


Copyright © 2012 by Ballard Spahr LLP.
(No claim to original U.S. government material.)


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.