- It’s safe to say that the Alaska Department of Health and Social Services (DHSS) won’t be storing electronic protected health information (ePHI) on unencrypted USB devices again any time soon.
DHSS will pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR determined that DHSS did not complete these items for risk analysis:
- Implement sufficient risk management measures
- Complete security training for DHSS workforce members
- Implement device and media controls
- Created a device and media encryption standard
And as part of this agreement, DHSS, which is the state’s Medicaid agency, will take corrective action to properly safeguard the ePHI of their Medicaid patients. DHSS will need to agree to and comply with the corrective action plan (CAP).
The CAP will stipulate that “DHSS shall develop, maintain, and revise as necessary, its written policies and procedures related to the provisions described in the last paragraph of I.3 of the Resolution Agreement to comply with the Federal standards that govern the privacy and security of individually identifiable health information.” DHSS will also need to agree to these CAP provisions:
Standardize policies and procedures – Implement procedures such as tracking devices containing ePHI, safeguarding devices containing ePHI and encrypting devices that contain ePHI.
Train employees – Any workers that use e-PHI will need to either train within 90 days of new policies and procedures or within 30 days of start of employment. Employees also need to verify in written or electronic form that they’ve received training.
Assess risk management – Determine how available DHSS is to employees and the level of security for it.
Form a monitoring plan – Prove for 90 days, by making records available and monitoring reports, that DHSS is in compliance with CAP.
DHSS sent a breach report to the Office for Civil Rights (OCR) back on Oct. 30, 2009 that a portable USB device that potentially contained ePHI was stolen from a DHSS computer technician on Oct. 12, 2009. After being notified in January 2010 that OCR would investigate the matter as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the HHS Secretary Sebelius and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. DHSS sent OCR compliance and training activity information in June and November of 2010 and April of 2011.
This agreement should serve as evidence that the government is serious about ePHI security and will force providers to prove they’ve taken the necessary steps to ensure that breaches don’t occur. Using a portable USB device for ePHI isn’t advisable, as OCR said back in 2006. Healthcare providers should use this agreement as an opportunity to make sure their ePHI security procedures are up to date.