HIPAA Blog

[ Thursday, March 15, 2007 ]

 

Empire Blue Cross Blue Shield: I saw the other day a story on the loss of a cd containing PHI of 75,000 BC/BS members, and intended to post on it, but was skiing instead. Now that I've got a chance to post on it (briefly, the slopes call), I see that they've found the disk. Good for them.

Jeff [9:56 AM]

Comments:
I got a letter yesterday from my carrier, Empire Blue Cross, telling me of this lost CD, and giving me a free year of Equifax credit monitoring to help calm me down. This prompted me to poke around the web and to find your blog. I'm glad to see that they have found the CD, but have three questions:

1. Did the failure of Health Data Management Solutions (HDMS)to encrypt the PHI data constitute a violation of HIPAA in your judgment?

2. Since HDMS is an independent contractor of Empire Blue Cross, and acted as their agent in this transaction, is Empire ultimately responsible for the fact that PHI was mis-handled?

3. Any reason you can think of that I shouldn't lodge a HIPAA violation complaint with the federal Office of Civil Rights against Empire? - it's pretty easy to do online.

Please let me know. Thanks
 
Important disclosure: I AM NOT YOUR LAWYER, AND THIS IS NOT LEGAL ADVICE.

However, in my non-legal opinion, failing to encrypt is not a per se violation of HIPAA, and it would depend on the totality of the facts and circumstances to figure out whether that is a violation. If the loss of the disk was pretty much unforseen and not reasonably anticipated, then encryption would probably not be necessary.

The usual legal rules would make Empire liable ultimately for the actions of its agents. Either way, if you suffered any damages, you're privity of contract is with Empire, not HDMS.

There's nothing stopping you from filing a complaint with OCR, and it is very easy to do online. I would expect that a lot of people would have done so already in this case. You should note that once you file the complaint, it's OCR's (or perhaps CMS' in this case, since this may be a security issue rather than a privacy issue) to take and run with, and you won't get to tell them how to proceed.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template