Protect Personal Information. It’s the right thing to do. And, the penalties are big.
As mentioned several months ago, the HHS’ Office of Civil Rights (OCR) in engaged in efforts to ensure compliance with the HIPAA Administrative Simplification Rules including the privacy, security and breach notification rules (see New Pilot Audit Program: HIPAA Privacy and Security Compliance, January 2012 Benefit Beat). Indications are that, in the next 90 days, OCR will issue final regulations relating to:
- Amending the HIPAA privacy and security rules pursuant to the HITECH Act;
- The imposition of new data breach enforcement and penalty requirements;
- HITECH Act's breach notification rule; and
- Incorporation of the Genetic Information Nondiscrimination Act into the HIPAA rules.
Equally important are the actions that are being brought and the penalties that are being assessed for HIPAA privacy violations.
Of particular note, the OCR recently settled a case with Blue Cross Blue Shield of Tennessee (BCBST) for violations of the HIPAA Privacy and Security Rules. BCBST voluntarily reported the theft of 57 unencrypted computer hard drives from its leased facility in Tennessee to the OCR. The computers contained unprotected health information of 1 million+ individuals, including their names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. In addition, BCBST failed to implement administrative and physical safeguards for the protection of the equipment. BCBST was fined $1.5 million in penalties.
One of the important takeaways from this case is that had the information on the computer been encrypted, there would have been no requirement to notify OCR of a potential breach of unprotected health information. There is a requirement to issue a breach notification in the event of any potential misappropriation of unsecured protected health information. If the PHI is secured, however, there is no notification requirement. To be secured, the PHI must be either encrypted or destroyed. The rationale is that if the information is secured, there is no risk of misappropriation. Both in light of the HIPAA privacy rules and in light of the general importance of protecting an individual’s personal information, it is essential to make every effort to ensure that personal information is protected with the upmost care.
The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.
As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.