Issue link: https://viewer.e-digitaledition.com/i/66918
from a compliance perspective, is that the breach was allegedly caused by an intervening crimi- nal act—the October 2009 theft of 57 unencrypted hard drives from a data storage closet in Chattanooga, Tenn. BCBS pre- sumably paid Eastgate Complex and timely reports the breach as required under the HITECH Breach Rule—and has a fully compliant, current and effec- tive HIPAA compliance program implemented—then the covered entity should be able to assert there were no violations of HIPAA or HITECH. However, at least for BCBS of Tennessee, appar- ently the costs and burden of going through an investigation to prove the breach was not due to an underlying lapse in its HIPAA compliance program was not worth the $1.5 million to settle. What may be most chilling to provide security services to safeguard the data closet where the hard drives, which featured video and audio recordings of more than 1 million customers, were being stored temporarily until their scheduled relocation a month later. It seems Eastgate had appropriate physical safe- guards in place, including bio- metric and keycard scan security with a magnetic lock, an addi- tional door with a keyed lock, and basic security services. So, if BCBS contracted, paid for and relied on Eastgate to pro- vide security services, one would think that it would be reasonable for BCBS to believe it had taken appropriate steps to attempt to safeguard the e-PHI while it was temporarily stored in the data closet. What we cannot discern from the resolution agreement is whether BCBS's contract with 13 Click to hear the podcast as Helen Oscislawski advises healthcare organizations about preventive liability measures. Attorney Helen Oscislawski, a governor's appointee to the New Jersey Health Information Technology Commission since 2008, is an expert on HIPAA, HITECH and privacy laws. Visit oscislaw.com to learn more.