Electronic Health Records


Alaska DHSS pays the freight for ePHI security breach

By Patrick Ouellette

- It’s safe to say that the Alaska Department of Health and Social Services (DHSS) won’t be storing electronic protected health information (ePHI) on unencrypted USB devices again any time soon.

DHSS will pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR determined that DHSS did not complete these items for risk analysis:

- Implement sufficient risk management measures

- Complete security training for DHSS workforce members

- Implement device and media controls

- Created a device and media encryption standard

And as part of this agreement, DHSS, which is the state’s Medicaid agency, will take corrective action to properly safeguard the ePHI of their Medicaid patients. DHSS will need to agree to and comply with the corrective action plan (CAP).

The CAP will stipulate that “DHSS shall develop, maintain, and revise as necessary, its written policies and procedures related to the provisions described in the last paragraph of I.3 of the Resolution Agreement to comply with the Federal standards that govern the privacy and security of individually identifiable health information.” DHSS will also need to agree to these CAP provisions:

Standardize policies and procedures – Implement procedures such as tracking devices containing ePHI, safeguarding devices containing ePHI and encrypting devices that contain ePHI.

Train employees – Any workers that use e-PHI will need to either train within 90 days of new policies and procedures or within 30 days of start of employment. Employees also need to verify in written or electronic form that they’ve received training.

Assess risk management – Determine how available DHSS is to employees and the level of security for it.

Form a monitoring plan – Prove for 90 days, by making records available and monitoring reports, that DHSS is in compliance with CAP.

DHSS sent a breach report to the Office for Civil Rights (OCR) back on Oct. 30, 2009 that a portable USB device that potentially contained ePHI was stolen from a DHSS computer technician on Oct. 12, 2009. After being notified in January 2010 that OCR would investigate the matter as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS Secretary Sebelius and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. DHSS sent OCR compliance and training activity information in June and November of 2010 and April of 2011.

This agreement should serve as evidence that the government is serious about ePHI security and will force providers to prove they’ve taken the necessary steps to ensure that breaches don’t occur. Using a portable USB device for ePHI isn’t advisable, as OCR said back in 2006. Healthcare providers should use this agreement as an opportunity to make sure their ePHI security procedures are up to date.

Browse the latest EHR, MeaningfulUse and ICD-10 White Papers and Guides 

Related links:

ePHI will benefit from more policy not just more technology

UT law professor examines Utah health data breach

Data security is everything in EHR selection and Implementation

More on the South Shore Hospital health data breach

Stiffer encryption means better protection for PHI or EHR




Sign up to continue reading and gain Free Access to all our resources.

Sign up for our free newsletter and join 60,000 of
your peers to stay up to date with tips and advice on:

EHR Optimization
EHR Interoperability
EHR Replacement

White Papers, Webcasts, Featured Articles and Exclusive Interviews

Our privacy policy

no, thanks

Continue to site...