Rules, Leon Rodriguez, Director of the HAS Office for Civil Rights (OCCUR), announced today. BEST has also agreed to a corrective action plan to address gaps in its HIPPY compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITCH) Act Breach Notification Rule. The investigation followed a notice submitted by BEST to HAS reporting that 57 unencrypted computer hard drives Nerve stolen from a leased facility in Tennessee.
The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. Scar’s investigation indicated BEST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes.
In addition, the investigation showed a failure to implement appropriate hysterical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPPY Security Rule. “This settlement sends an important message that OCCUR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPPY compliance program,” said OCCUR Director Leon Rodriguez. “The HITCH Breach Notification Rule is an important enforcement tool and OCCUR will continue to vigorously protect patients’ right to private and secure health information. In addition to the $1 talented, the agreement requires BEST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all SCABS employees covering employee responsibilities under HIPPY, and to perform monitor reviews to ensure BEST compliance with the corrective action plan. HAS Office for Civil Rights enforces the HIPPY Privacy and Security Rules. The HIPPY Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information.
The HIPPY Security Rule protects health information in electronic form by requiring entities covered by HIPPY to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HITCH reach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HAS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.