But I’m flabbergasted, for different reasons, with the OCR’s latest move--Blue Cross Blue Shield of Tennessee getting hit with a $1.5 million fine in addition to agreeing to a corrective action plan.
BCBST was extraordinarily upfront in how it handled its breach, which affected more than 1 million individuals. The plan seemed to do everything right with its response; it talked with reporters and gave frequent updates to its customers and the industry on what happened, what was being done and lessons learned. How an organization handles a breach can go a long way toward how OCR handles the organization, the agency likes to say. OCR is welcome to a rebuttal, but BCBST seemed to respond the way OCR would want.
Yet, it was a large breach and there was privacy/security negligence beforehand, and they got hammered. I get it. What I don’t get is why OCR spent time and resources on BCBST and not on organizations that act poorly in their responses. And I really don’t understand why if OCR had time to go after BCBST, it didn’t have time to publish the final HIPAA privacy, security, breach notification and enforcement rules.
You remember those rules--the ones promised to consumers three years ago when $27 billion was borrowed to accelerate electronic health records adoption? The ones that OCR pledged to publish in 2010? Then the ones that OCR pledged to publish in 2011? Yeah, those rules.
Who’s leveling fines against OCR for failure to execute and ensure the privacy and security of protected health information?
If BCBST merits a $1.5 million fine, why doesn’t insurer Health Net? Here’s a company that had a breach affecting 1.5 million members in May 2009--before the federal breach notification rule took effect--and didn’t report it to insurance officials in four states until six months later. Here’s a company that got fined $250,000 by the Connecticut Office of Attorney General following first lawsuit filed for HIPAA violations under authority given to AGs by the HITECH Act and also was fined $375,000 by the Connecticut Insurance Department for failure to notify in a timely manner.
That was just the start for Health Net. The company in early 2011 had another large breach when subcontractor IBM Corp. lost server drives with PHI on 1.9 million individuals. Health Net learned of the breach in early February and issued a press release and started notifying individuals on March 14, 2011, within the federal breach notification rule’s 60-day window. But the breach affected about 24,600 individuals in Connecticut and Health Net was under obligation to inform the state’s Attorney General within five calendar days of an incident being identified, yet didn’t notify the AG until March 4, by phone. The AG sent a letter three days later to Health Net reminding the company of its obligation to provide written notice in a timely manner and asking for quick responses to 18 questions.
It appears Health Net didn’t initially say much to the AG and it didn’t say much in its press release on March 14--which just happened to come out soon after the Connecticut AG announced the breach the same day. Health Net’s press release was not an exercise in being forthright. It did not state the number of missing drives, the number of affected individuals and their states of residence, or the date the insurer learned of the missing drives, and the company did not return phone calls asking for additional information.
There are other organizations besides Health Net that haven’t distinguished themselves with their response to breaches. But Health Net’s insincerity in how it handled two major breaches in less than two years still galls me. And it should gall the HHS Office for Civil Rights. And it should gall someone in OCR that their priorities on rendering punishment and rules are abysmal.