The Alaska Department of Health and Social Services (DHSS) – the state's Medicaid agency – has agreed to pay $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle possible violations of the HIPAA Security Rule, making it the second largest settlement for HIPAA violations to date.
As part of the settlement, the state has also agreed to take corrective action to properly safeguard the electronic personal health information (PHI) of their Medicaid beneficiaries.
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing PHI was stolen from the vehicle of a DHSS employee. PHI from an estimated 2,000 individuals was stored on the device.
Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard patients' PHI. Moreover, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk-management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
In addition to the $1.7 million settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state's ongoing compliance efforts.
"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," said OCR Director Leon Rodriguez. "This is OCR's first HIPAA enforcement action against a state agency, and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."
OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.
Susan McAndrew deputy director for Health Information Privacy at OCR said, "Privacy of information is critical to quality health care. While adoption of new technologies provides tremendous opportunity for better health care delivery, if patients do not trust that their provider is keeping their information private, patients may withhold information from their providers due to worries about how their medical data may be disclosed."
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more to the HHS Secretary Sebelius and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.
CVS Caremark Co. became the largest OCR settlement for HIPAA violations in 2009, when they agreed to pay $2.25 million to the HHS after disposing employee social security numbers, insurance card numbers, patient information, computer order forms and pill bottles containing patient data into an open dumpster. Blue Cross Blue Shield of Tennessee comes in third behind Alaska, paying the HHS $1.5 million in March of 2012 after 57 encrypted hard drives were stolen from one of their facilities. The devices contained the protected health information of more than 1 million individuals.