OCR deputy: Lessons for providers in HIPAA settlement

Blue Cross and Blue Shield of Tennessee's recent federal settlement over alleged violations of Health Insurance Portability and Accountability Act privacy and security laws holds lessons for providers, according to a senior official responsible for HIPAA enforcement.

Susan McAndrew, deputy director of the Office of Civil Rights at HHS, which enforces the federal patient privacy law, said providers moving locations need to go through a risk assessment to identify where their data is going during the transition.

"You need to make sure at all times you have the proper safeguards in place, whether your data is at your new space or your old space or somewhere in between," McAndrew said in an interview. "And that it is updating that risk assessment to take into account the change of physical location.”

Her comments were in regard to the recently announced first enforcement action stemming from the Health Information Technology for Economic and Clinical Health Act breach notification rule. Blue Cross and Blue Shield of Tennessee agreed to pay federal regulators $1.5 million and enter into a corrective action plan after 57 hard drives were stolen from the insurer.

The company told government authorities that the computer drives contained unencrypted private health information for more than 1 million people, including names, Social Security numbers, dates of birth, diagnosis codes and health plan ID numbers. The OCR investigation found that the insurer didn't perform a required security evaluation in response to operational changes and didn't have appropriate access controls at a leased facility, both of which are safeguards required under HIPAA, regulators said.

Asked if the same type of liability exists for providers using increasingly popular third-party cloud storage systems, McAndrew said the same patient data encryption and protection requirements apply.

"So wherever it is as it moves it is not accessible to unauthorized parties, only authenticated parties," she said.

If a healthcare provider relies on the provider of the storage service to do the encryption, then the healthcare organization should obtain a business associate agreement with the cloud provider so that the contractor becomes responsible for the meeting the security-rule obligation for that information.

After additional HITECH Act regulations under consideration are finalized, McAndrew said, third-party business associates in similar situations will likely face fines if they cause the breach.

"Right now, we are required to charge the covered entity for the acts of their business associate," she said.