BlueCross-BlueShield of Tennessee has agreed to pay a$1.5 million settlement and carry out a corrective action plan in the wake of a 2009 breach that affected more than 1 million individuals. In addition to the $1.5 million payment, the settlement calls for the health insurer to review, revise and maintain its privacy and security policies and procedures; conduct “regular and robust” training for all employees on their responsibilities under the HIPAA privacy and security rules; and perform reviews to ensure compliance with the corrective action plan, according to anHHS announcement.
“This settlement sends an important message that OCR expects health plans and health-care providers to have in place a carefully designed, delivered and monitored HIPAA compliance program,” says Leon Rodriguez, director of the HHS Office for Civil Rights. “The HITECH breach notification rule is an important enforcement tool, and OCR will continue to vigorously protect patients’ right to private and secure health information.”