June 27, 2012
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human
Services (HHS) has once again entered into a significant settlement evidencing
its commitment to the aggressive enforcement of the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule. In its first HIPAA enforcement
action against a state agency,
HHS announced on June 26, 2012, that it had entered into a $1.7 million
settlement as part of a resolution agreement with the Alaska Department of
Health and Social Services (DHSS), the state’s Medicaid agency. In addition to
payment of the settlement, the resolution agreement requires DHSS to comply with
a corrective action plan to properly safeguard the electronic protected health
information (ePHI) of its Medicaid beneficiaries.
The resolution agreement resulted from an OCR investigation into the 2009
theft of a portable electronic storage device, which potentially contained ePHI,
from the vehicle of a DHSS computer technician. As a result of the
investigation, OCR determined that, in contravention of the requirements of the
Security Rule, DHSS had failed to: (1) complete a risk analysis; (2) implement
sufficient risk management measures; (3) implement device and media controls;
and (4) address device and media encryption.
As part of the resolution agreement, DHSS entered into a corrective action
plan, which requires DHSS to implement the following corrective actions:
- Develop, maintain and revise as necessary its written policies and
procedures relating to the deficiencies found in the investigation and
distribute the policies and procedures to all members of the workforce who
have access to ePHI. Required policies and procedures include, but are not
limited to, procedures for: (a) tracking devices containing ePHI; (b)
safeguarding devices containing ePHI; (c) encrypting devices containing ePHI;
(d) disposal and/or re-use of devices that contain ePHI; (e) responding to
security incidents; and (f) applying sanctions to workforce members who
violate these policies and procedures.
- Develop and conduct general Security Rule training for all members of
the DHSS workforce who have access to ePHI.
- Conduct an accurate and thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity and availability of ePHI
held by DHSS and implement security measures sufficient to reduce such risks
and vulnerabilities to a reasonable and appropriate level.
- Designate an independent monitor to review DHSS compliance with the
corrective action plan.
The resolution agreement, which includes OCR’s findings and details of the
corrective action plan, can be found
here.
In announcing the settlement, OCR Director Leon Rodriguez cautioned that
“Covered entities must perform a full and comprehensive risk assessment and have
in place meaningful access controls to safeguard hardware and portable devices.”
He further noted: “This is OCR’s first HIPAA enforcement action against a state
agency and we expect organizations to comply with their obligations under these
rules regardless of whether they are private or public entities.”
This settlement highlights the importance to covered entities and business
associates of conducting a HIPAA security risk assessment and building a HIPAA
security compliance program that safeguards ePHI based upon the results of the
security assessment. In addition, policies and procedures should accurately
document the security measures implemented as part of the comprehensive HIPAA
security compliance program and be provided to members of a workforce who have
access to ePHI.
If you have questions regarding this article or HIPAA compliance more
generally, you may contact Kim Kannensohn at 312.750.8649 or Nathan Kottkamp at
804.775.1092.