Alaska Medicaid settles HIPAA security case for $1,700,000

It was one of the first breaches reported to HHS under HITECH, and it had never been in any media reports that I had seen.  Even to this day, HHS’s breach tool does not provide any specifics other than 501 people were affected by the theft of a USB drive. But in a press release today, HHS/OCR announced it had settled charges against the state over the breach and provided some details:

The Office for Civil Rights (OCR) received a Breach Report from the DHSS dated October 30, 2009. The document indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a DHSS computer technician on or about October 12, 2009.

On January 8, 2010, OCR notified DHSS that it will be conducting an investigation. On March 3, 2010, June 1, 2010, November 19, 2010, and April 1, 2011, OCR received DHSS’ written responses, policies, procedures, information regarding training activities, and documentation related to compliance with the Privacy and Security Rules. On June 17-18, 2010, OCR conducted a site visit to interview selected DHSS workforce members. OCR also received information from DHSS through email and telephone contacts throughout this investigation.

As a result of its investigation, OCR determined that DHSS had not 1) completed a risk analysis (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); 2) implemented sufficient risk management measures (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); 3) completed security training for DHSS workforce members (See 45 C.F.R. § 164.308(a)(1)(ii)(A)(5)(i)); 4) implemented device and media controls (See 45 C.F.R. § 164.310 (d)(1)); and 5) addressed device and media encryption (See 45 C.F.R. § 164.312(a)(2)(iv).

According to the press release today:

The Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS Secretary Sebelius and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at:  http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html

About the author: Dissent