The Department of Health and Human Services announced a settlement with Blue Cross Blue Shield of Tennessee after the company’s inadequate security measures allowed 57 unencrypted hard drives containing private health information to be stolen from a medical facility.
The unencrypted hard drives contained the protected health information of over one million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.
According to settlement documents, Blue Cross failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls.
Both of these safeguards are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
In a similar case, the federal agency reached a $100,000 settlement with Phoenix Cardiac Surgery over its failures to comply with HIPAA. The government claimed the small medical practice posted patients’ medical information on a publicly accessible, Internet-based calendar and shared the personal information via employees’ personal, Internet-based email accounts.
This so-called cloud computing can allow doctors to share patient records and discuss a case more efficiently by using portable devices like smartphones or laptops. But it may be at odds with HIPAA when files aren’t encrypted and employees email patients’ sensitive personal details.
HIPAA gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. Specifically, HIPAA protects health information in electronic form by requiring entities covered by HIPAA to use “physical, technical, and administrative safeguards” to ensure that online medical information remains private and secure.
Do you think your health information privacy rights have ever been violated under HIPAA privacy or security rules? If so, go here to file a complaint.