Alaska Fails Patient Privacy
This one goes back a few years, but it’s important to remember the patient privacy fundamentals of the Health Insurance Portability and Accountability Act (HIPAA)… and in this case, those fundamentals were COMPLETELY ignored to the tune of a $1.7 million settlement.
You’d expect two governmental health agencies – one state and one federal – to be on the same page when it comes to the protecting patient privacy. But, in this case, you’d be wrong.
In 2012, the state of Alaska’s Department of Health and Social Services (DHSS) reported to the federal department of Health and Human Services (HHS) that a portable electronic storage device (USB hard drive) possibly containing Electronic Protected Health Information (ePHI) was stolen from the vehicle of a DHSS employee.
Multiple Patient Privacy Violations
During its investigation, the Office for Civil Rights (OCR), the federal agency responsible for conducting HIPAA investigations, found that DHSS did not have adequate policies and procedures in place to safeguard ePHI.
Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.
The First HIPAA Action Against a State Agency
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said then-OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
In addition to the $1,700,000 settlement, the agreement included a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.
If you work with a state agency, don’t think you’re immune from HIPAA rules. If you need help with your risk analysis, give us a call.