Yet again another blog post on BCBS TN!!  Once again, proof again that HIPAA compliance is not just an information technology problem.  This one is different.  Get some practical, actionable advise!  Learn how to better manage you compliance risks as well as security risks…

Go to school on BCBS TN!

Have you been ignoring that HIPAA Evaluation regulation (at 45 CFR 164.308(a)(8) that requires an entity to perform a technical and non-technical evaluation of their environment anytime there is an operational change in the environment? Beware, that not only increases security risk, but compliance risk…and OCR recently made that clear.

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5M to settle potential violations of the HIPAA Privacy and Security Rules. This is the first enforcement action resulting from a data breach notification which became law under the HITECH Act.

The personal health information of over 1 million individuals went missing when 57 hard drives containing electronic patient health information were stolen from a leased facility in Tennessee. OCR had this to say “BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes.” It was a physical security breach, coupled with weak technical controls.

So why the Evaluation? Properly done, the Evaluation would have found there was “a failure to implement appropriate physical safeguards by not having adequate facility access controls”.

The very first step in achieving HIPAA Compliance should performing an Evaluation and reacting swiftly to the findings. Don’t let this critical first step fall to the side, because it will be one of the first questions OCR asks if they come knocking on your door after a data breach.

Clearwater Compliance offers the most comprehensive HIPAA Security Evaluation on the market at:


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.