The theft of a portable hard drive from a staff member of the Alaska Department of Health and Social Services (DHSS) possibly exposed the ePHI of almost 2,000 people. Following a review by the HHS Office for Civil Rights (OCR), a settlement has been agreed and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule breaches.
The U.S. Department of Health and Human Services’ Office for Civil Rights was advised of the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must file a report of data security breaches affecting more than 500 people to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported on per year).
A media announcement must also be made to warn potential victims and Breach Notification Rules require all people to be contacted and advised of the security breach to allow them to take action to protect their identities and money.
The investigation found a number of non-compliance issues and inadequate policies and processes to protect the electronic health information of its Medicare beneficiaries. The security holes identified by the OCR should have been listed in a risk analysis, and the lack of safeguards and vulnerabilities made it clear that this vital procedure had not been conducted.
The OCR discovered weaknesses in the risk management policies, portable devices containing ePHI were not secured and device and media controls had not been implemented. Its security staff had also not had the necessary training on data security and was therefore not fully aware of its requirements under the HIPAA Security Rule.
The HIPAA Security rule requires all covered bodies to put in place robust security measures and incorporate the administrative, technical and physical safeguards to protect patient and employee health data. Organizations must also adhere with the HIPAA Privacy rule which was introduced to make it easier for patients to access their data and also safeguard it and restrict access.
The settlement is the second biggest to date and reflects the number of violations found by the OCR and it is the first time a financial penalty has been applied to a state agency. This HIPAA penalty sends a warning to all bodies covered by HIPAA regulations, both private and public, that violating rules will incur financial penalties and the OCR is rigorously policing compliance.
OCR Director, Leon Rodriguez, said that data breaches involving portable storage devices can easily be avoided. “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”
Alaska Department of Health and Social Services must also implement an action plan to bring its policies and procedures up to date with current legislation and those policies and procedure must be regularly reviewed and updated. In order to track progress, a report on ongoing compliance efforts must also be regularly filed to the OCR.