Issue link: https://viewer.e-digitaledition.com/i/66918
L EG A L B R IE F Peeling Back BCBS's HIPAA Settlement Onion $1.5 MILLION by HELEN OSCISLAWSKI storage facility theft of 57 Blue Cross Blue Shield hard drives? Make sure What is the lasting lesson from the losses resulting from their negligence. third-party vendors are contractually obligated to cover T that Blue Cross Blue Shield of Tennessee entered into a resolu- tion agreement for $1.5 million to settle potential HIPAA viola- tions. I find this new case both instructive and frightening, but one has to peel back the layers of this HIPAA onion to really under- stand why the resolution between BCBS of Tennessee and HHS and the Office for Civil Rights creates an even greater nerve- racking precedent than may be immediately apparent. First, it must be noted that he Department of Health and Human Services announced March 13 OCR initiated its investigation of the BCBS breach only after BCBS submitted its HITECH Breach Report "in compliance with" 45 CFR ยง164.408. Therefore, HHS/ OCR appears to acknowledge that BCBS's reporting of the 12 breach was timely, proper and otherwise in compliance with the breach notification rule. And, while BCBS did not seem to get much reprieve here for its diligent breach reporting, it's important to point out that just because a covered entity experiences a breach does not in and of itself mean that the covered entity has violated the HIPAA Privacy or Security Rule. A covered entity must actually fall short of or be non-compliant with a HIPAA pri- vacy and security standard before an actual violation can be found. So, at least hypothetically, a covered entity could be in full compliance with the HIPAA Privacy and Security Rules, even if it experienced a breach involv- ing or potentially compromising personal health information. In such a situation, as long as the covered entity properly