No One is Immune: OCR Holds State Medicaid Agency Accountable for HIPAA Compliance

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has once again entered into a significant settlement evidencing its commitment to the aggressive enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In its first HIPAA enforcement action against a state agency, HHS announced on June 26, 2012, that it had entered into a $1.7 million settlement as part of a resolution agreement with the Alaska Department of Health and Social Services (DHSS), the state’s Medicaid agency. In addition to payment of the settlement, the resolution agreement requires DHSS to comply with a corrective action plan to properly safeguard the electronic protected health information (ePHI) of its Medicaid beneficiaries.

The resolution agreement resulted from an OCR investigation into the 2009 theft of a portable electronic storage device, which potentially contained ePHI, from the vehicle of a DHSS computer technician. As a result of the investigation, OCR determined that, in contravention of the requirements of the Security Rule, DHSS had failed to: (1) complete a risk analysis; (2) implement sufficient risk management measures; (3) implement device and media controls; and (4) address device and media encryption.

As part of the resolution agreement, DHSS entered into a corrective action plan, which requires DHSS to implement the following corrective actions:

1. Develop, maintain and revise as necessary its written policies and procedures relating to the deficiencies found in the investigation and distribute the policies and procedures to all members of the workforce who have access to ePHI. Required policies and procedures include, but are not limited to, procedures for: (a) tracking devices containing ePHI; (b) safeguarding devices containing ePHI; (c) encrypting devices containing ePHI; (d) disposal and/or re-use of devices that contain ePHI; (e) responding to security incidents; and (f) applying sanctions to workforce members who violate these policies and procedures.
2. Develop and conduct general Security Rule training for all members of the DHSS workforce who have access to ePHI.
3. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by DHSS and implement security measures sufficient to reduce such risks and vulnerabilities to a reasonable and appropriate level.
4. Designate an independent monitor to review DHSS compliance with the corrective action plan.

The resolution agreement, which includes OCR’s findings and details of the corrective action plan, can be found here.

In announcing the settlement, OCR Director Leon Rodriguez cautioned that “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.” He further noted: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

This settlement highlights the importance to covered entities and business associates of conducting a HIPAA security risk assessment and building a HIPAA security compliance program that safeguards ePHI based upon the results of the security assessment. In addition, policies and procedures should accurately document the security measures implemented as part of the comprehensive HIPAA security compliance program and be provided to members of a workforce who have access to ePHI.

If you have questions regarding this article or HIPAA compliance more generally, you may contact Kim Kannensohn at 312.750.8649 or Nathan Kottkamp at 804.775.1092.