Subcategory:
Category:
Words:
404Pages:
2Views:
297The stolen hard drives were part of an information system that documented and stored video and audio records of management of care and admissibility phone calls from members and providers to BCBST previously referred to as Eastgate call center based in Chattanooga Blue Cross Blue Shield of Tennessee straightaway probed the data breach and made considerable effort to fortify the prevailing security procedures and processes at the Eastgate Town Center the location where space was being rented BCBST further obtained an autonomous evaluation of system wide statistics including the typical security of the facility the information regarding the breach was then placed on its official Web site to make available to its clientele and stakeholders the information concerning the much publicized data breach Hsieh 2014 The information comprises a web link to the Federal Trade Commission official Web site where clients can easily get information on the right procedure they can take to safeguard against further data breach especially that concerning identity theft Section 164 530 of the HIPAA privacy regulation calls for suitable technical directorial as well as physical safety measures to safeguard the confidentiality of protected health information HIPAA Privacy directive defends most independently distinguishable health information transmitted or kept by a covered body or its corporate associate in whichever medium or form whether oral paper based or electronic
The security imperative counterparts the privacy directive by instituting the reference point for fortifying electronic protected health information ePHI both stored kept at a given location or that in transit Staggers Gallagher Gonçalves Nelson 2014 In its final assessment Health and Human Services asserted according to its inquiry BCBST were unsuccessful in implementing suitable administrative protections to sufficiently shield the protected health information at the leased facility for the reason that it barely undertook the prerequisite security appraisals in response to its inherent functional adjustments The information nonetheless was kept in a rented information closet protected by a keycard scan including biometric security in the facility with added security offered by the owner of the building Hsieh 2014 Albeit BCBST got a notification that the server was not responding the corresponding notification hardly alerted BCBST that there might have been an incident of theft and the server barely seemed to harmfully affect routine functionalities HIPAA compliance 101 training policies observation and risk evaluations could have saved Blue Cross Blue Shield of Tennessee BCBST a lot of monies as some data protection authorities perceived In its place Blue Cross Blue Shield of Tennessee consented to a 1 5 million penalty with the Office for Civil Rights OCR as a result of a potential HIPAA security breach in addition to spending an extra 17 million in privacy violation response liabilities
In the same vein in same year March 13th BCBST and the OCR the state s HIPAA security and privacy enforcer attained the second biggest fiscal reimbursement of its kind with respect to CVS Caremark s 2 25 million settlement just a few years back In the requirements BCBST is compelled to bring up to date its HIPAA compliance procedures and policies at the same time get OCR endorsement on each policy adjustment as well as conduct impromptu random inspections of its own staffs According to a Department of Health Human Services HHS public statement this was Office for Civil Rights premier implementation achievement associated with a breach that was documented according to the the Health Information Technology for Economic and Clinical Health HITECH Act Clifford 2016 At the time organizations take in security and privacy as core components of their organizational culture and commence implementing comparable approaches to those utilized in quality and safety initiatives the cognizance of these concerns increases
Well trained personnel are a remarkable resource in mitigating numerous breaches within an organization s realms especially data breaches of this sort The assessment criterion in the HIPAA Security Rule necessitates HIPAA covered entities CE to undertake a routine nontechnical as well as technical assessment founded firstly on the standards applied under this imperative and afterwards in reaction to functional or environmental adjustment touching on the safety of electronic protected health information Hsieh 2014 In essence BCBST failed to apply fitting directorial precautions to satisfactorily safeguard information contained at the leased building by barely undertaking the essential security appraisal in reaction to operational changes Into the bargain the investigations exhibited a failure to device suitable physical defenses by not instituting satisfactory building access controls both of these safety measures are prerequisite of the HIPAA Security directive Clifford 2016