Yesterday, the Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, agreed to pay the U.S. Department of Health and Human Services (HHS) $1,700,000 to settle possible violations of the HIPAA Security rule. DHSS further agreed to a Corrective Action Plan (CAP) to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS. The report indicated that on or about October 12, 2009, a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from a vehicle of a DHSS employee. On October 30, 2009, DHHS filed a breach report as required by the HITECH Act. On January 8, 2010, OCR began an investigation which included phone and email communications, documentation requests, and a site visit.
Over the course of the investigation, OCR found evidence that DHSS:
- Did not have adequate policies and procedures in place to safeguard ePHI
- DHSS had not completed a risk analysis (45 CFR 164.308(a)(1)(ii)(A))
- Did not implement sufficient risk management measures (45 CFR 164.308(a)(1)(ii)(B))
- Did not complete security training for its workforce members (45 CFR 164.308(a)(1)(ii)(A)(5)(i))
- Did not implement device and media controls (45 CFR 164.310(d)(1))
- Did not address device and media encryption (45 CFR 164.312(a)(2)(iv))
OCR Director Leon Rodriguez said that “covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
The Corrective Action Plan is 3 years in duration and requires that DHHS:
-
Update its HIPAA policies, secure approval of HHS of the new policies, and adopt the new policies that include
- Procedure for tracking devices containing ePHI
- Procedure for safeguarding devices that contain ePHI
- Procedure for encrypting devices that contain ePHI
- Procedure for disposal and/or re-use of devices that contain ePHI
- Procedure for responding to security incidents, and
- Procedure for applying sanctions to work force members who violate these policies and procedures
- Distribute the new policies to all workforce members, and obtain signed documentation from all employees that they have read, understand, and shall abide by the policies,
- Update policies annually, and receive new signed documentation from all employees upon any policy revision
- Train all members of the workforce who have access to ePHI on HIPAA Security and the specifics of the DHHS policies, and maintain documentation that training was received
- Conduct a risk analysis
- Submit to HHS its risk analysis and any new risk management measures
- Hire a 3rd party monitor to audit DHHS compliance with this plan and submit quarterly reports to HHS
- Submit a detailed implementation report
- Submit detailed annual reports for regarding compliance activities in the CAP
The CAP may be viewed in its entirety at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.pdf.
This enforcement action, and OCR statements make it clear that mobile device security is a priority issue in HIPAA enforcement. Further, covered entities are advised to invest in a comprehensive risk analysis – this is the foundation of any good security program, would identify mobile device risks, and is one of the first things OCR would look for in any investigation.
