We owe what?
In a recent article released last week by the Privacy and Information Security Law blog, the Department of Health and Human Services (“HHS”) announced that it had settled the first case related to the HITECH Act Breach Notification Rule. BlueCross Blue Shield of Tennessee (“BCBS Tennessee”) agreed to pay $1.5 million to settle potential HIPAA violations related to the October 2009 theft of 57 unencrypted hard drives containing protected health information (“PHI”) from a network data closet at a leased facility leased in Chattanooga, Tennessee.
In addition to the $1.5 million settlement with HHS, BCBS Tennessee entered into a Resolution Agreement that contained a Corrective Action Plan. The Corrective Action Plan obligates BCBS Tennessee to (1) provide OCR with its policies and procedures regarding risk management and physical access controls, (2) distribute those policies and procedures to all members of its workforce who have access to electronic PHI, (3) provide training to those workforce members, and (4) conduct random monitor reviews, including site visits and interviews of workforce members, to ensure that its workforce members are complying with BCBS Tennessee’s policies and procedures. Finally, the Corrective Action Plan requires BCBS Tennessee to submit two biannual reports to OCR that document the training efforts and monitor reviews, and to retain all records pertaining to compliance with the Corrective Action Plan for three years.
The protection of confidential information, specifically in government and healthcare is a growing problem. With the plethora of content being created and published it falls on the shoulders of the knowledge worker to identify and protect that information, physically or electronically. Unfortunately, the knowledge worker is overwhelmed with inundation of content as well as the rules on how to label and store the content. One client has over 13K entries in the records management file plan. How on earth can a knowledge worker know what descriptors to assign? Eliminating end user interaction is always the crux of the problem. Our clients have solved the problem using conceptClassifier for SharePoint, our automatic semantic metadata generation, and integration with Records Management applications. The solution is also used for privacy data and can include any organizationally defined descriptors regarding confidential information that may be unique to the organization.
Follow us on Twitter