The Department of Health and Human Services (“DHHS”) has reported that it has reached a settlement resulting from a covered entity’s report pursuant to the HITECH Act’s breach notification rule for breaches of unsecured protected health information (“PHI”). Under the settlement agreement, Blue Cross Blue Shield of Tennessee (“BCBST”) agreed to pay $1.5 million and to enter into a corrective action plan.

BCBST had reported the theft of 57 unencrypted computer hard drives from a network data closet at an unstaffed leased facility. The data contained PHI of just over 1 million individuals, including names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.

The Office for Civil Rights (“OCR”) found that BCBST failed to implement both administrative and physical safeguards required under the HIPAA Security Rule. First, BCBST failed to update their risk analysis when they transferred the equipment and data to the leased facility. Second, even though the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, OCR found that BCBST had not used adequate access controls.

BCBST spent nearly $17 million in investigation, notification to the individuals, and protection costs to date, bringing the total cost of this breach to 18.5 million.

Although this incident isn’t strictly a self-incrimination issue because it appears that no criminal prosecution is forthcoming, it demonstrates that in many ways covered entities are now the HIPAA police that have to report their own noncompliance and face the consequences. Of course, failing to report a reportable breach would be willful neglect—carrying the higher penalty than those breaches due to a reasonable cause.