In case you were wondering where all the money for the Medicaid expansion plan is coming from, a recent settlement makes it clear: Medicaid organizations that don’t take immediate steps to secure patient data will be among the resources. To Alaska, we extend our empathy and identification. At the moment, I can’t find my cell phone!
We know that if the personal health information (PHI) of more than 500 patients is breached, either through malicious malware (hacks and bots), or more likely, simple theft, notice must be filed and posted on the Dept. of Health and Human Services website, and the incident reviewed by the Office of Civil Rights.
In today’s case of a stolen USB hard drive (a thumb drive) from the vehicle of an Alaska State Dept. of Health and Social Services (DHSS) employee, the press release indicates it possibly contained PHI.
A $1.7 million fine was levied not because the loss potentially exposed more than 500 patients, but because during the investigation, the Office of Civil Rights (OCR) “found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.”
This goes right back to Alicia’s great post last week: Security breaches: network is secure, but front door is wide open.
OCR enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.
“This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities,” said OCR Director Leon Rodriguez.
It’s scary to think a misplaced thumb drive could cost that much–so let’s turn this lesson into an Action List for our providers to check off:
* Adequate policies and procedures to safeguard PHI
* Conduct a risk analysis
* Implement sufficient risk management measures
* Train the workforce on HIPAA measures, policies and procedures
* Institute device and media controls
In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.