Recently, the Alaska Department of Health and Social Services (“DHSS”) reached a $1,700,000 settlement with the U.S. Department of Health and Human Services (“HHS”) pertaining to the HHS Office for Civil Rights (“OCR”) investigation into possible violations of the HIPAA Security Rule. To date, this is the third settlement triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act.
OCR’s investigation followed Alaska DHSS’s submission of a breach report regarding an October 12, 2009 breach incident. In the breach report, Alaska DHSS reported that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from an Alaska DHSS employee’s car. The incident affected 501 individuals.
After four rounds of requests and written responses, and OCR’s two-day site visit, OCR’s investigation revealed that Alaska DHSS did not have adequate policies and procedures in place for safeguarding of ePHI. In violation of the HIPAA Security Rule, OCR found evidence that Alaska DHSS had not:
- completed a risk analysis,
- implemented sufficient risk management measures,
- completed security training for its workforce members,
- implemented device and media controls, or
- addressed device and media encryption.
In addition to the $1,700,000 settlement, Alaska DHSS agreed to a corrective action plan (“CAP”) that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. Minimum content of the policies and procedures shall include, but are not limited to:
- procedure for tracking devices containing ePHI;
- procedure for safeguarding devices containing ePHI;
- procedure for encrypting devices that contain ePHI;
- procedure for disposal and/or re-use of devices that contain ePHI;
- procedure for responding to security incidents; and
- procedure for applying sanctions to work force members who violate Alaska DHSS policies and procedures.
The CAP is for a three year term. Under the CAP, Alaska DHSS’s compliance with the CAP will be monitored by a designated Monitor. Alaska DHSS is required to educate and train its workforce regarding its policies and procedure for safeguarding of protected health information. In addition, Alaska DHSS is required to conduct a risk analysis and implement risk management measures. The CAP, contained in the resolution agreement, can be found here.
OCR’s enforcement action against Alaska DHSS, the state’s Medicaid agency, is the first against a state agency. Alaska DHSS, funded by Alaskan tax payers and the federal government, oversees medical care to the indigent in Alaska. “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
Entities, both private and public, should use this settlement and resolution agreement as guidance for the type of policies and procedures that should be in place to safeguard protected health information, and at the same time, to be in compliance under the HIPAA Security Rule.
