1. Parties: The Parties to this Resolution Agreement (Agreement) are: (1) the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR); and (2) BlueCross BlueShield of Tennessee (BCBST), an independent, non-profit corporation organized under the laws of and doing business in the state of Tennessee.
2. Factual Background and Covered Incidents
A. Authority of HHS
HHS enforces the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). HHS has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities and a covered entity must cooperate with HHS’ investigation. 45 C.F.R. §§ 160.306(c) and 160.310(b).
BCBST is a covered entity as defined at 45 C.F.R. § 160.103. Thus, BCBST is required to comply with the Privacy and Security Rules.
On January 8, 2010, OCR initiated an investigation of BCBST pursuant to a HITECH Breach Report submitted by BCBST on November 3, 2009, in compliance with 45 C.F.R. § 164.408.
B. Covered Incidents
The following incidents are hereafter referred to as the “Covered Incidents”:
On October 5, 2009, BCBST employees discovered a theft of computer equipment from a network data closet located at the Eastgate Town Center office location in Chattanooga, TN. BCBST’s internal investigation found that the theft occurred on or about October 2, 2009.
The stolen items included 57 hard drives containing encoded electronic data. The data on the hard drives consisted of over 300,000 video recordings and over 1 million audio recordings.
As part of a company move to a new building, BCBST began relocating staff from the Eastgate Town Center office on February 6, 2009, and all staff vacated the premises on June 26, 2009. After the staff relocation, BCBST surrendered most of the leased property except a network data closet to Eastgate property management. The network data closet contained the encoded computer hard drives that were stolen. As of June 30, 2009, security services were turned over to, and maintained by, Eastgate property management. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, Eastgate continued to provide security services. The servers in the Network data closet were scheduled to be moved the first week of November 2009.
According to BCBST’s timeline of events, it received an alert on Friday, October 2, 2009, that the server at the Eastgate facility was unresponsive, but did not respond or investigate until Monday, October 5, 2009, because the unresponsive server message did not alert BCBST that there had been a theft and the server did not appear to adversely impact operations.
The hard drives in the network data closet were part of a system which recorded and stored audio and video recordings of customer service calls. The hard drives that were stolen contained data which included the protected health information of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. The stored audio and video data from the recorded calls had to be manually and individually reviewed to obtain access to PHI. BCBST’s internal investigation confirmed that the PHI of 1,023,209 individuals was stored on the hard drives.
3. No Admission. This Agreement is not an admission of liability by BCBST and BCBST denies any liability as a result of the theft. This settlement is entered into to avoid the burden and additional expense of investigation and litigation as set forth below.
4. No Concession. This Agreement is not a concession by HHS that BCBST is not in violation of the Privacy and Security Rules and not liable for civil monetary penalties.
5. Intention of Parties to Effect Resolution. This agreement is intended to resolve OCR Complaint Numbers 10-109315/10-SEC-03283 regarding possible violations of the Privacy and Security Rules related to the Covered Incidents as well as any other claims OCR may have related to the Covered Incidents, with the exception of any claims specifically reserved herein. In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of further investigation and formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.
II. Terms and Conditions
6. Payment. BCBST agrees to pay HHS the amount of $1,500,000. (Resolution Amount). BCBST agrees to pay the Resolution Amount by electronic funds transfer pursuant to written instructions to be provided by HHS. BCBST agrees to make this payment on or before the date BCBST signs this Agreement.
7. Corrective Action Plan. BCBST has entered into and agrees to comply with the Corrective Action Plan (CAP), attached as Appendix A, which is incorporated into this Agreement by reference. If BCBST breaches the CAP and fails to cure the breach as set forth in the CAP, then BCBST will be in breach of this Agreement and HHS will not be subject to the terms and conditions in the Release set forth in Paragraph 8 of this Agreement.
8. Release by HHS. In consideration and conditioned upon BCBST’s performance of its obligations under this Agreement, HHS releases BCBST from any actions it has or may have against BCBST under the Privacy and Security Rules, and any claims OCR may have, arising
out of or related to the Covered Incidents identified in Paragraph 2 above. HHS does not release BCBST from, nor waive any rights, obligations, or causes of action other than those specifically referred to in this paragraph. This release does not extend to actions that may be brought under Section 1177 of the Social Security Act, 42 U.S.C. § 1320d-6.
9. Agreement by Parties. BCBST shall not contest the validity of its obligations to pay, nor the amount of, the Resolution Amount or any other obligations agreed to under this Agreement. BCBST waives all procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. § 1320a-7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at 45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on BCBST and its successors, heirs, transferees, and assigns, including any person(s) (as defined at 45 C.F.R. § 160.103) that is or becomes a covered entity (as also defined at 45 C.F.R. § 160.103) to which the ownership or control of BCBST is sold or transferred by merger; acquisition of stock, assets or other ownership interest; or any form of purchase or transfer during the term of the CAP.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in connection with this matter, including the preparation and performance of this Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties only, and by this instrument the Parties do not release any claims against any other person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the Parties. All material representations, understandings, and promises of the Parties are contained in this Agreement. Any modifications to this Agreement shall be set forth in writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e., final and binding) upon the date of signing of this Agreement and the CAP by the last signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money penalty must be imposed within six years from the date of the occurrence of the violation. To ensure that this six-year period does not expire during the term of this Agreement, BCBST agrees that the time between the Effective Date of this Resolution Agreement (as set forth in Paragraph 14) and the date this Resolution Agreement may be terminated by reason of BCBST’s breach, plus one year thereafter, will not be included in calculating the six-year statute of limitations applicable to the violations which are the subject of this Agreement. BCBST waives and will not plead any statute of limitations, laches, or similar defenses to any administrative action relating to the Covered Incidents identified in Paragraph 2 that is filed by HHS within the time period set forth above, except to the extent that such defenses would have been available had an administrative action been filed on the Effective Date of this Resolution Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement. This Agreement and information related to this Agreement may be made public by either party. In addition, HHS may be required to disclose this Agreement and related material to any person upon request consistent with the applicable provisions of the Freedom of Information Act, 5
U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of which constitutes an original, and all of which shall constitute one and the same agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of BCBST represent and warrant that they are authorized by BCBST to execute this Agreement on their behalf. The individual(s) signing this Agreement on behalf of HHS represent and warrant that they are signing this Agreement in their official capacities and that they are authorized to execute this Agreement.
Xxxx Xxxxxxxxx Date
For the U.S. Department of Health and Human Services, Office for Civil Rights
Xxxxxxxxx Xxxxxxx Date
Regional Manager, Region IV
CORRECTIVE ACTION PLAN
BlueCross BlueShield of Tennessee (BCBST), a Tennessee non-profit corporation, enters into this Corrective Action Plan (CAP) with the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Contemporaneously with this CAP, BCBST is entering into a Resolution Agreement (Agreement) with HHS. This CAP is incorporated by reference into the Agreement as Appendix A. BCBST enters into this CAP as part of the consideration for the Resolution Agreement.
II. Definition of Terms
The following terms shall be interpreted as indicated below when used in this CAP:
“Electronic storage media” shall mean any electronic device that can be used to store ePHI, including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disks, optical disks, digital memory cards or recordable media such as CDs, DVD’s, and floppy disks.
“Portable devices” shall mean portable and/or mobile devices and external hardware that contain electronic protected health information (ePHI), store ePHI, or are used to access ePHI.
III. Contact Persons and Submissions
A. Contact Persons
BCBST has identified the following individuals as their authorized representatives and contact persons regarding the implementation of this CAP and for receipt and submission of notifications and reports:
Xxxx Xxxxxxxx, Esq.
BlueCross BlueShield of Tennessee
Deputy General Counsel/Chief Privacy Officer Legal, Governance and Privacy
Xxx Xxxxxxx Xxxx Xxxxxx Xxxxxxxxxxx, XX 00000 Xxxx_Xxxxxxxx@XXXXX.xxx Telephone: 000-000-0000
HHS had identified the following individual as its authorized representative and contact person with whom BCBST is to report information regarding implementation of the CAP:
Xxxxxxxxx Xxxxxxx Regional Manager
U.S. Department of Health and Human Services Office for Civil Rights, Region IV
00 Xxxxxxx Xxxxxx, X.X., Xxxxx 00X00 firstname.lastname@example.org
Xxxxxxx, Xxxxxxx 00000-0000
BCBST and HHS mutually agree to promptly notify each other of any changes in the contact persons or other information provided above.
B. Proof of Submissions. Unless otherwise specified, all notifications and reports required by this CAP may be made by any means, including certified mail, overnight mail, or hand delivery, provided that there is proof that such notification was received. For purposes of this requirement, internal facsimile confirmation sheets do not constitute proof of receipt.
IV. Term of CAP
The period of compliance obligations assumed by BCBST under this CAP shall be 450 days beginning with the effective date of this CAP (Effective Date). BCBST shall be obligated:
(a) to submit a second Biannual Report as set forth in section VII; and (b) to comply with the document retention requirement set forth in section VIII. The Effective Date for this CAP shall be calculated in accordance with Paragraph 14 of the Resolution Agreement. At the CAP’s expiration, the obligations herein also terminate, with the exception of those in (a) and (b) above.
In computing any period of time prescribed or allowed by this CAP, the day of the act, event, or default from which the designated period of time begins to run shall not be included. The last day of the period so computed shall be included, unless it is a Saturday, Sunday, or a legal holiday, in which event the period runs until the end of the next day that is not one of the aforementioned days.
VI. Corrective Action Obligations
BCBST agrees to the following:
A. Policies and Procedures.
1. If not already provided, BCBST shall provide copies to HHS of current written policies and procedures (Policies and Procedures) that (a) address the requirements stated in
section VI.C; and (b) are consistent with the Federal Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules).
2. BCBST shall provide the Policies and Procedures, consistent with Paragraph 1 above, to HHS within 30 days of the Effective Date for review and approval. Upon receiving any recommended changes to the Policies and Procedures from HHS, BCBST shall have 30 days to revise the Policies and Procedures and provide the revised Policies and Procedures to HHS for review and approval. Approval shall not be unreasonably withheld.
3. Within 220 days of BCBST’s receipt of HHS’s approval as described in section VI.A.2, BCBST shall provide evidence that it has implemented the Policies and Procedures. Such evidence may include documentation that BCBST implemented the Policies and Procedures prior to the Effective Date, if the approved Policies and Procedures do not materially differ from the policies and procedures that were previously implemented.
B. Distribution and Updating of Policies and Procedures.
1. Within the first Biannual Report, BCBST shall provide evidence that it has distributed the Policies and Procedures to all members of the BCBST workforce who have access to the ePHI of BCBST. Such evidence may include documentation that BCBST distributed the Policies and Procedures prior to the Effective Date, if the approved Policies and Procedures do not materially differ from the policies and procedures that were previously distributed. BCBST shall distribute the Policies and Procedures to members of the BCBST workforce hired after the first Biannual Report within 40 days of the workforce members beginning their service.
2. BCBST shall require a written or electronic compliance certification form from each member of the workforce that receives the Policies and Procedures pursuant to section
VI.B.1. Such compliance certification shall include a statement that the workforce member has read, understands, and shall abide by the Policies and Procedures.
C. Minimum Content of the Policies and Procedures and Reportable Events.
The Policies and Procedures shall include:
1. The conduct of a risk assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used, or transmitted on or off-site;
2. The conduct of a risk management plan that implements security measures sufficient to reduce risks and vulnerabilities identified by the risk assessment to a reasonable and appropriate level;
3. Facility access controls and a facility security plan to limit access to electronic information systems and facilities where they are housed and to safeguard equipment containing ePHI from unauthorized physical access, tampering, and/or theft; and
4. Physical safeguards governing the storage of electronic storage media containing ePHI.
If BCBST determines that a member of the BCBST workforce has violated these Policies and Procedures, BCBST shall notify HHS in writing within 30 days. Such violations shall be known as “Reportable Events.” The report to HHS shall include the following information:
a. A complete description of the event, including the relevant facts, the person(s) involved, the provision(s) of the Policies and Procedures implicated; and
b. A description of BCBST’s actions taken to mitigate any harm and any further steps it plans to take to address the matter and prevent it from reoccurring.
1. In the first Biannual Report, BCBST shall provide evidence that it has provided training on the Policies and Procedures required by Section VI.A.1 to all members of the BCBST workforce who have access to ePHI. Such evidence may include documentation that BCBST provided such training prior to the Effective Date, if the approved Policies and Procedures do not materially differ from the policies and procedures that were the subject of the prior training. BCBST shall provide such training to new members of the BCBST workforce within 30 days of the workforce members beginning their service.
2. Each individual who is required to attend training shall certify, in writing or in electronic form, that the individual has received the required training. The training certification shall specify the date training was completed. All course material shall be retained in compliance with section VIII.
3. After BCBST submits its first Biannual Report, BCBST shall not involve any member of the BCBST workforce in: (a) the storage or transport of electronic storage media containing ePHI; or (b) the storage or transport of portable devices containing ePHI, if that workforce member has not executed the specified training certification required by
VI.D.2. Any member of the BCBST workforce hired after the first Biannual Report must execute the training certification required by VI.D.2 within 40 days of becoming a workforce member.
1. Purpose of Monitor Reviews: Monitor Reviews shall be conducted by BCBST under the direction of the Chief Privacy Officer or his or her designee and shall seek to validate that:
a. Random samples of members of the BCBST workforce are familiar with the Policies and Procedures;
b. Random samples of members of the BCBST workforce are complying with the Policies and Procedures;
c. Electronic storage media and portable devices related to BCBST containing ePHI are secured in compliance with the Policies and Procedures. This shall be accomplished by an ePHI audit of random samples of 25 electronic storage media and 25 portable devices at BCBST’s discretion.
2. Description of Monitor Reviews: Monitor Reviews will include, but not be limited to:
a. Unannounced site visits to BCBST facilities housing portable devices;
b. Interviews with a random sample of 25 members of BCBST workforce who use portable devices;
c. Interviews with sample members of the BCBST workforce, the number and identity of whom shall be selected at BCBST’s discretion, involved in the supervision, use, retention, or destruction of electronic storage media and portable devices; and
d. Inspection of a random sample of 25 portable devices that contain ePHI and are under the control of members of BCBST workforce to ensure that such devices satisfy all applicable requirements of the Policies and Procedures.
3. Frequency of Monitor Reviews: BCBST shall conduct two Monitor Reviews: the first within 150 days of BCBST’s receipt of HHS’s approval of the Policies and Procedures and the second within 180 days of the first Monitor Review.
4. Recommendation by Monitor: Based on the Monitor Review, the Monitor shall:
a. Identify any risk to the confidentiality, integrity, and availability of ePHI residing on electronic storage media or portable devices;
b. Develop recommendations to reduce such risks or vulnerabilities to a reasonable and appropriate level; and
c. Confirm that BCBST implements reasonable and appropriate risk management steps.
The requirements to identify and manage risks identified in this subsection are in addition to, and do not replace, the procedures governing Reportable Events in section VI.C. BCBST may implement the above risk management step by incorporating such steps into a risk management plan that is implemented pursuant to 45 C.F.R. § 164.308(a)(1)(ii)(B).
5. Documentation of Monitor Reviews: The results of Monitor Reviews shall be fully documented, including, but not limited to:
a. Dates of unannounced site visits;
b. Summaries of results of interviews;
c. Summaries of inspections of portable devices;
d. Descriptions of any risks identified pursuant to VI.E.4.a; and
e. Any recommendations to reduce such risks, as required by VI.E.4.b.
6. Access to Monitor Records. In addition to the reports described in section VI.E.5., HHS shall have access to all notes, workpapers, and other records created during the Monitor Reviews, with the exception of any documents protected under the attorney-client or work product privilege. Such information shall be submitted to HHS, upon request, within 30 days of such request. If any information is withheld based upon attorney-client or work product privilege, BCBST shall provide to HHS a privilege log describing the documents withheld and the basis for the privilege.
VII. Biannual Reports
BCBST’s Chief Privacy Officer shall submit two Biannual Reports. The first Biannual Report shall be due within 220 days of BCBST’s receipt of HHS’ approval of the policies and procedures and the second shall be due 180 days after the first Biannual Report. This report shall include:
1. A copy of the schedule, topic outline, and materials for the training programs, including a summary of the topics covered and the length of the sessions(s), provided during the Reporting Period that is the subject of the report;
2. An attestation signed by BCBST’s Chief Privacy Officer attesting that BCBST has obtained written or electronic training certifications from all persons that must attend training, and that such training complies with the requirements established under this CAP;
3. A summary of Reportable Events (defined in section VI.C..) that occurred during the Reporting Period and the status of any corrective and preventative action(s) relating to all such Reportable Events;
4. A copy of reports generated by Monitor Reviews pursuant to section VI.E.5.; and
5. An attestation signed by BCBST’s Chief Privacy Officer attesting that he or she has reviewed the Biannual Report, has made a reasonable inquiry regarding its content and, to the best of his or her belief, the information is accurate and truthful.
VIII. Document Retention
BCBST shall maintain for inspection and copying all documents and records relating to compliance with this CAP for three (3) years.
IX. Breach Provisions
BCBST is expected to fully and timely comply with all provisions contained in this CAP.
A. Timely Written Requests for Extensions. BCBST may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by HHS at least five business days prior to the date such an act is required to be performed. HHS shall have sole discretion as to whether or not to grant an extension.
B. Notice of Breach. The parties agree that a breach of this CAP by BCBST constitutes a breach of the Resolution Agreement. Upon determination by HHS that BCBST has breached the CAP, HHS may notify BCBST of the breach thereof (this notification is hereinafter referred to as the “Notice of Breach).
C. BCBST’s Response. BCBST shall have 30 days from the date of receipt for the Notice of Breach to demonstrate to HHS’s satisfaction that:
1. BCBST is in compliance with the obligations of the CAP cited by HHS as the basis for the breach; or
2. the alleged breach has been cured; or
3. the alleged breach cannot be cured within the 30-day period, but that (i) BCBST has begun to take action to cure the breach, (ii) BCBST is pursuing such action with due diligence; and (iii) BCBST has provided to HHS a reasonable timetable for curing the breach.
D. Imposition of CMP. If at the conclusion of the 30-day period, BCBST fails to meet the requirements of section IX.C. to HHS’s satisfaction, HHS may proceed to impose a civil money penalty (CMP) pursuant to 45 C.F.R. Part 160 for any violations of the Privacy and Security Rules related to the Covered Incidents set forth in Paragraph 2B of the Recitals in the Resolution Agreement and for any other act or failure to act that constitutes a violation of the Privacy and Security Rules. HHS shall notify BCBST in writing of its determination to proceed with the imposition of a CMP. HHS and BCBST will retain all of the rights and obligations specified under 45 C.F.R Part 160, Subparts C through E with respect to any determination by HHS that BCBST has violated the HIPAA Rules and with respect to the imposition of a CMP under this paragraph.
Xxxx Xxxxxxxxx Date
For the U.S. Department of Health and Human Services, Office for Civil Rights
Xxxxxxxxx Xxxxxxx Date
Regional Manager, Region IV