First fine from HIPAA breach-notification rule not seen as much of a deterrent
First-ever fine for breach-notification rule doesn’t impress critics
The first-ever penalties stemming from enforcement of the breachnotification rule in the 2009 stimulus law are drawing mixed reviews from data-privacy advocates, who say federal regulators’ $1.5 million settlement with Blue Cross and Blue Shield of Tennessee seems unlikely to halt healthcare companies’ lax treatment of patient data.
HHS’ Office for Civil Rights, which enforces the data-privacy rules under the Health Insurance Portability and Accountability Act of 1996, reported last week that Blue Cross and Blue Shield of Tennessee agreed to pay $1.5 million and enter into a 450-day corrective action plan after 57 hard drives containing private health data for more than 1 million people were stolen in 2009 from a leased facility that did not have appropriate access controls.
“This is not about breach notification, it’s about security,” said Twila Brase, a registered nurse and president of the Citizens’ Council for Health Freedom in St. Paul, Minn. “The settlement brings this up into the news so people understand that we have a problem with security of private health data. But I just don’t think that the fines are necessarily going to solve the problem.”
Blue Cross and Blue Shield of Tennessee said in a news release that the unencrypted hard drives had been located in a “data storage closet” inside a former Blue Cross customer call center that the company had leased in Chattanooga, Tenn. The computer drives contained audio and video recordings of customer service calls that included some patients’ names, Social Security numbers, dates of birth, diagnosis codes and health plan ID numbers.
Blue Cross said there was no indication that any of the data has been misused. The company has spent $17 million on its investigation, notification and protection efforts following the thefts, including voluntarily encrypting all of its “at rest” data.
“Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times,” Tena Roberson, deputy general counsel and chief privacy officer for the Tennessee Blues, said in the release.
The Health Information Technology for Economic and Clinical Health Act, enacted in 2009 as part of the American Recovery and Reinvestment Act, includes a requirement that certain organizations must report instances of impermissible use of private health information or breaches that affect more than 500 people to regulators and news media.
After its investigation, the Office for Civil Rights concluded that Blue Cross had violated health-privacy laws in two ways: by failing to perform a required security evaluation in response to an operational change, and by failing to implement physical safeguards such as adequate facility access controls, according to a news release from the Office for Civil Rights.
Dr. Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation in Austin, Texas, said the Office for Civil Rights’ financial settlement and corrective action plan disregard the harm to victims. The agreement could have required the company to provide identity-theft monitoring services, for example, because many cases of medical identity theft take years to materialize, she said.
“It’s good to see OCR is trying to force the industry to protect the data,” Peel said. “It’s just disheartening to see that they did nothing to help the patients.” She also characterized the $1.5 million fine as “practically nothing” to a large, statewide health insurance company.
But the business risks presented by massive breaches made possible by the widespread adoption of health information technology go far beyond penalties imposed by HHS, including the costs of media relations, reputation damage and exposure to class-action lawsuits, according to a report issued this month by a coalition called the PHI Project led by the American National Standards Institute. Sacramento, Calif.-based Sutter Health; UCLA Health System, Los Angeles; Stanford Hospital & Clinics, Palo Alto, Calif.; and Tricare contractor SAIC have all been sued over breaches in the past six months.
The $1.5 million settlement payment in the Tennessee Blues case and the technical nature of the actual violations alleged speaks to the failure of the law to protect consumers while giving healthcare organizations understandable rules, said James Pyles, a principal at the law firm Powers Pyles Sutter & Verville, a lead researcher and author of the report.
“These tapes were under biometric locks,” Pyles said. “They were double-locked. They had security in the building. It wasn’t as if these things were left in the back of a car somewhere. And yet they ended up paying the maximum that could have been paid. That has implications for everyone.”
—with Gregg Blesch
The widespread adoption of IT makes massive breaches possible and the risks go beyond HHS penalties, according to one recent report.