Blue Cross Blue Shield of Tennessee agreed to pony up $1.5 million to the U.S. Department of Health and Human Services (HHS) for a HIPAA violation in 2009, according to a ComputerWorld report.
This payment is the settlement of a violation of the Health Insurance Portability and Accountability Act (HIPAA). That violation, in turn, stems from 2009 data breach that affected roughly a million BlueCross BlueShield customers, and because of which, the insurer has already paid some $17 million in restitution.
BlueCross BlueShield has also agreed to revise its privacy policy and regularly train employees on their responsibilities under HIPAA as part of the settlement, according to the report.
BlueCross BlueShield has also reportedly enacted an initiative to encrypt all at-rest user data, which goes beyond industry standards.
This settlement represents the first enforcement action by the HHS with regards to the Health Information Technology for Economic and Clinical Health (HITECH) breach notifications rules. ComputerWorld notes that these rules require that HIPAA-covered organizations notify consumers of any breach in which their personal information may have been compromised. It further requires that such companies notify the HHS and the media in instances where a breach impacts more than 500 individuals.