Blue Cross and Blue Shield of Tennessee's recent federal settlement over alleged violations of Health Insurance Portability and Accountability Act privacy and security laws holds lessons for providers, according to a senior official responsible for HIPAA enforcement.
Susan McAndrew, deputy director of the Office of Civil Rights at HHS, which enforces the federal patient privacy law, said providers moving locations need to go through a risk assessment to identify where their data is going during the transition.
"You need to make sure at all times you have the proper safeguards in place, whether your data is at your new space or your old space or somewhere in between," McAndrew said in an interview. "And that it is updating that risk assessment to take into account the change of physical location.”
Her comments were in regard to the recently announced first enforcement action stemming from the Health Information Technology for Economic and Clinical Health Act breach notification rule. Blue Cross and Blue Shield of Tennessee agreed to pay federal regulators $1.5 million and enter into a corrective action plan after 57 hard drives were stolen from the insurer.