The June 26th news from HHS announcing a $1.7 million settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is.
1. HIPAA Enforcement Heats Up in the Coldest
State
June 27, 2012
The Health and Human Services (HHS) Office of Civil Rights (OCR) has increased enforcement actions over the past
several months, including reaching several breach resolution agreements with covered entities. OCR has also informed an
additional 90 organizations of its intent to conduct HIPAA security audits before the end of the year.
None of this is particularly surprising. For almost a year now, OCR has signaled that they intend to take their HIPAA
enforcement responsibilities seriously and there certainly have been no shortage of breach incidents for them to
investigate. Since the fall of 2009, major PHI data breaches (defined as those affecting 500 records or more) have
impacted 20,066,249 individuals.
The June 26th news from HHS http://www.hhs.gov/news/press/2012pres/06/20120626a.html announcing a $1.7 million
settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is. In the
press release OCR Director Leon Rodriguez states
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls
to safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency and
we expect organizations to comply with their obligations under these rules regardless of whether they are private or
public entities.”
The investigation began when Alaska’s Health and Social Services Department submitted a breach report on October 30 th,
2009, reporting the potential breach of electronic protected health information as a result of a USB drive stolen from an
employee’s car. This incident occurred shortly after the HITECH Breach Notification Rule first went into effect. To its
credit, even though the State agency was not certain the USB drive contained protected health information, it reported the
breach and estimated 501 records had possibly been compromised.
But the OCR investigation that followed found that the Alaska department did not have adequate policies and procedures
in place to safeguard PHI. It also had not completed a security risk analysis nor implemented sufficient risk management
measures. The investigation also concluded that security training was needed for the agency’s employees and more
attention needed to be paid to controls on media and other portable devices, including a consideration of encryption of
data on such devices.
This is a painful illustration of the both the seriousness of protecting patient health data and the challenges that healthcare
organizations face in comprehensively addressing IT security risk. The risks of data breach include both overt threats and
the possibility of human error or neglect. Organizations need to comprehensively and regularly conduct risk assessments
and then mitigate technical vulnerabilities, other deficiencies, compliance gaps, and inadequate procedures. And then they
should do it again. Security is a process, not a one-time project.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM