The first enforcement action against a state Medicaid agency for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA)(104-191) Security Rule resulted in a Resolution Agreement under which the Alaska Department of Health and Social Services (DHSS) has agreed to pay $1,700,000 to settle possible violations, according to the Department of Health and Human Services (HHS) Office for Civil Right’ (OCR). In addition, Alaska DHSS has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of its Medicaid beneficiaries. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities,” OCR Director Leon Rodriguez said.
The OCR began its investigation following a breach report submitted by Alaska DHSS indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS computer technician. The Breach Notification Rule, which was established by the Health Information Technology for Economic and Clinic Health Act (HITECH Act) (which was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA)(P.L. 111-5) requires covered entities to report impermissible use or disclosure of protected health information or a “breach” of the protected health information of 500 individuals or more to the HHS Secretary and the media. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.
Over the course of the investigation OCR reviewed DHSS’ policies and procedures, training activities, and other documentation related to compliance with the HIPAA Privacy and Security Rules and conducted a site visit to interview select workforce members. Under the HIPAA Security Rule, covered entities are required to protect health information in its electronic form by developing and implementing physical, technical, and administrative safeguards to ensure ePHI remains private and secure. As a result of its investigation, OCR determined that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Specifically, OCR found that DHSS had not:
- completed a risk analysis (see 45 C.F.R. 164.308(a)(1)(ii)(A));
- implemented sufficient risk management measures (see 45 C.F.R. 164.308(a)(1)(ii)(B));
- completed security training for its workforce members (see 45 C.F.R. 164.308(a)(1)(ii)(A)(5)(i);
- implemented device and media controls (see 45 C.F.R. 164.310(d)(1) ); or
- addressed device and media encryption (see 45 C.F.R. 164.312(a)(2)(iv).
The Resolution Agreement and Corrective Action Plan
To resolve the possible violations of the HIPAA Privacy and Security Rules, OCR entered into a Resolution Agreement with Alaska DHSS on June 25, 2012. In addition to the $1,700,000 settlement, the agreement includes a corrective action plan (CAP). The CAP is effective for a period of three years from the date of HHS’ approval of a Monitor Plan described in the CAP.
The CAP requires Alaska DHSS to develop, revise, and maintain policies and procedures to ensure compliance with the HIPAA Privacy and Security Rules and submit them to HHS for review and approval. Other requirements include:
Polices and procedures, at a minimum, must be developed and implemented (1) to track, safeguard, and encrypt devices containing ePHI; (2) for disposal and re-use of devices; (3) to respond to security incidents; and (4) to impose sanctions against workforce members who violate the policies and procedures.
Policies and procedures must be assessed, updated, and revised as necessary.
DHSS must distribute of policies and procedures as well as revised policies and procedures to all members of the workforce who have access to ePHI within 90 days of HHS’ approval of the policies and procedures.
DHSS must provide general training on the HIPAA Security Rule and on its policies and procedures to members of the workforce who have access to ePHI within 90 days of the adoption of the policies and procedures. Training must be reviewed annually and updated to reflect any changes in the laws or in HHS guidance and any other issues or developments.
DHSS must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by DHSS and must implement security measures to reduce the risk and vulnerabilities identified. DHSS must provide HHS with the risk analysis and risk management measures for review and approval.
DHSS must designate a qualified individual or entity to be a Monitor to ensure DHSS’ compliance with the CAP. The Monitor must submit a written plan for fulfilling the duties described. The Monitor will report to OCR regularly on DHSS’ ongoing compliance efforts.
DHSS must submit a report regarding implementation of the policies and procedures and submit annual reports.
DHSS must maintain all documents and records related to compliance with the CAP for a period of six years for HHS to inspect and copy.