The Health and Human Services (HHS) Office of Civil Rights (OCR) has increased enforcement actions over the past several months, including reaching several breach resolution agreements with covered entities. OCR has also informed an additional 90 organizations of its intent to conduct HIPAA security audits before the end of the year.
None of this is particularly surprising. For almost a year now, OCR has signaled that they intend to take their HIPAA enforcement responsibilities seriously and there certainly have been no shortage of breach incidents for them to investigate. Since the fall of 2009, major PHI data breaches (defined as those affecting 500 records or more) have impacted 20,066,249 individuals.
The June 26th news from HHS http://www.hhs.gov/news/press/2012pres/06/20120626a.html announcing a $1.7 million settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is. In the press release OCR Director Leon Rodriguez states
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
The investigation began when Alaska’s Health and Social Services Department submitted a breach report on October 30th, 2009, reporting the potential breach of electronic protected health information as a result of a USB drive stolen from an employee’s car. This incident occurred shortly after the HITECH Breach Notification Rule first went into effect. To its credit, even though the State agency was not certain the USB drive contained protected health information, it reported the breach and estimated 501 records had possibly been compromised.
But the OCR investigation that followed found that the Alaska department did not have adequate policies and procedures in place to safeguard PHI. It also had not completed a security risk analysis nor implemented sufficient risk management measures. The investigation also concluded that security training was needed for the agency’s employees and more attention needed to be paid to controls on media and other portable devices, including a consideration of encryption of data on such devices.
This is a painful illustration of the both the seriousness of protecting patient health data and the challenges that healthcare organizations face in comprehensively addressing IT security risk. The risks of data breach include both overt threats and the possibility of human error or neglect. Organizations need to comprehensively and regularly conduct risk assessments and then mitigate technical vulnerabilities, other deficiencies, compliance gaps, and inadequate procedures. And then they should do it again. Security is a process, not a one-time project.