Blue Cross Blue Shield of Tennessee agreed to pay the Department of Health and Human Services $1.5 million to settle potential HIPAA violations, according to an HHS release. This action followed BCBST's disclosure of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee. BCBST failed "to implement appropriate administrative safeguards to adequately protect information," HHS says. It should have been performing the required security evaluation in response to operational changes, according to the release. In addition, the investigation showed a "failure to implement appropriate physical safeguards by not having adequate facility access controls," it added. The HHS Office for Civil Rights, which enforces HIPAA, "expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," OCR Director Leon Rodriguez says. In addition to the fine and policy & procedures requirements, BCBST must provide "regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA."