Alaska DHSS Reaches $1.7M Settlement with OCR for HIPAA Security Rule Violations
The theft of a portable hard drive from an employee of the Alaska Department of Health and Social Services (DHSS) potentially exposed the ePHI of an estimated 2,000 individuals. Following an investigation by the HHS Office for Civil Rights (OCR), a settlement has been reached and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule violations.
The U.S. Department of Health and Human Services’ Office for Civil Rights was alerted to the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must submit a report of data security breaches affecting more than 500 individuals to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported annually).
A media announcement must also be made to alert potential victims and Breach Notification Rules require all individuals to be contacted and advised of the security breach to allow them to take action to protect their identities and finances.
The investigation unearthed a number of non-compliance issues and inadequate policies and procedures to protect the electronic health information of its Medicare beneficiaries. The security holes discovered by the OCR should have been identified in a risk analysis, and the lack of safeguards and vulnerabilities made it clear that this vital procedure had not been conducted.
The OCR discovered inadequacies in the risk management policies, portable devices containing ePHI were not secured and device and media controls had not been implemented. Its security staff had also not had the required training on data security and was therefore not fully aware of its obligations under the HIPAA Security Rule. The HIPAA Security rule requires all covered entities to implement robust security measures and incorporate the administrative, technical and physical safeguards to protect patient and employee health information. Organizations must also comply with the HIPAA Privacy rule which was introduced to make it easier for patients to access their data and also protect it and restrict access.
The settlement is the second highest to date and reflects the number of violations discovered by the OCR and it is the first time a financial penalty has been applied to a state agency. This HIPAA penalty sends a message to all entities covered by HIPAA regulations, both private and public, that violating regulations will incur financial penalties and the OCR is rigorously policing compliance.
According to OCR Director, Leon Rodriguez, data breaches involving portable storage devices can easily be prevented. “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”
Alaska Department of Health and Social Services must also follow an action plan to bring its policies and procedures up to date with current legislation and those policies and procedure must be regularly revised and updated. In order to monitor progress, a report on ongoing compliance efforts must also be regularly submitted to the OCR.