Alaska settles security case for $1,700,000
July 09, 2012
The Health and Human Services Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska Department of Health and Social Services as required by the Health Information Technology for Economic and Clinical Health Act. The report indicated that a portable hard drive possibly containing electronic protected health information was stolen from the vehicle of an Alaska Department of Health and Social Services employee. Over the course of the investigation, the Office for Civil Rights found evidence that the Alaska Department of Health and Social Services did not have adequate policies and procedures in place to safeguard electronic protected health information. Further, the Office of Civil Rights' said evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the Health Insurance Portability and Accountability Act Security Rule.
In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires the Alaska Department of Health and Social Services to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to the Office of Civil Rights regularly on Alaska’s ongoing compliance efforts.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
Following the announcement by U.S. Department of Health and Human Services of the settlement agreement, Alaska Department of Health and Social Services' Commissioner William J. (Bill) Streur addressed what he called some misleading statements that have come about from the U.S. Department of Health and Human Services.
In a prepared statement following the settlement announcement, Streur said that entering into the agreement was not an admission of liability or that the Alaska Department of Health and Social Services was in violation of the Privacy Rule or the Security Rule. Streur said, "Agreeing to complete our HIPAA compliance measures and paying a settlement amount is the only way for both parties to avoid costly and protracted litigation – a process with no guaranteed result and that could end up being more expensive for the state."
Commissioner Streur said, "The title of the OCR release suggests that Medicaid data may have been compromised. We have absolutely no indication that Medicaid data or personal information was lost or at risk."
The Office for Civil Rights found that DHSS did not have a current risk assessment. Streur said, "We did have a risk assessment, but it was several years old. It has not been clear in our dealings with OCR what the definition of “current” is by OCR, or that there even is a definition. We have begun work on conducting a new risk analysis in light of OCR’ concerns."
The Office for Civil Rights suggested that Alaska Department of Health and Social Services did not have sufficient risk measurement in place. Streur said, "At the time of the investigation, DHSS had identified risk management measures, and was in the process of putting them in place."
The Office for Civil Rights determined that DHSS did not have device and media controls and encryption in place. Commissioner Streur said the Alaska Department of Health and Social Services did have administrative controls in place in 2009, and had crafted security and privacy policies that were up for review to implement robust controls and encryption. "Even before this investigation, the department had purchased encryption software and was partway through the encryption of all PCs and storage devices in the department. Currently, all computers and devices are protected with encryption software, said Streur.
During the investigation of the portable hard drive that was stolen in 2009, the Office of Civil Rights alleged possible Security Rule violations by Alaska Department of Health and Social Services. Commission Streur said, "I would like to assure Alaskans that we believe no individual’s personal data has been compromised and we take our security responsibilities seriously."
Streur said a thorough investigation at the time of this incident was completed, and the Alaska Department of Health and Social Services has not discovered or received reports that personal information was accessed or used in any way.
"Our department had security measures in effect before this incident that helped keep our data safe. This resolution is the result of possible security violations, not the loss of actual personal information of Alaskans," said Streur.
The Alaska Department of Health and Social Services has paid the U.S. Department of Health and Human Services’ Office of Civil Rights $1.7 million in a resolution agreement to address possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
The Office of Civil Rights enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the United States Department of Health and Social Services Secretary Sebelius and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.
On the Web:
Sources of News: