In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data breaches.

BCBSoTenn failed to encrypt hard drives containing voicemail files.

 Is YOUR medical practice encrypting hard drives and flash drives embedded within

  • Laptops
  • Desktops
  • Servers
  • Copiers
  • Voice Mail systems
  • And other smart systems

The settlement is available at

From Legal Health Information Exchange

As many of our readers have already heard, on March 13, 2012 HHS announced that Blue Cross Blue Shield of Tennessee entered into a Resolution Agreement for $1.5 Million Dollars to settle potential violations of HIPAA. You can access a copy of the Resolution Agreement here.

find this new case both instructive and frightening, but one has to peel back the layers of this HIPAA-onion to really understand why the Resolution Agreement between BCBS of Tennessee (BCBSOTenn) and HHS/OCR creates an even greater nerve-racking precedent than may be immediately apparent.

First, it must be noted that OCR initiated its investigation of the Breach incident and BCBSOTenn only after BCBSOTenn submitted its HITECH Breach Report “in compliance with” 45 CFR §164.408.  Therefore, HHS/OCR appears to acknowledge that BCBOTenn’s reporting of the Breach was timely, proper and otherwise in compliance with the Breach Notification Rule.  And, while BCBSOTenn did not seem to get much reprieve here for its diligent Breach reporting, it’s important to point out that just because a covered entity experiences a Breach does not in and of itself mean that the covered entity has violated the HIPAA Privacy or Security Rule.  A covered entity must actually fall short of or be non-compliant with a HIPAA Privacy Rule standard or Security Rule standard before an actual violation can be found.