The $1.7 Million Flashdrive...Alaska Medicaid Settles HIPAA Violations
Even state agencies are not invisible to the all-seeing eye of OCR. The use, and subsequent theft of, an unencrypted flashdrive cost the Alaska Medicaid agency $1.7 million, according to the Office of Civil Rights (OCR) in a news release issued yesterday. According to OCR, an employee of the Alaska Department of Health and Human Services (ADHHS), the state's Medicaid agency, had an unencrypted flashdrive possibly containing PHI stolen from his car back in October 2009. ADHHS reported the breach promptly to OCR, which began an investigation in the beginning of 2010.
In the Resolution Agreement, OCR stated that ADHSS had failed to:
- Complete a HIPAA risk analysis;
- Implement sufficient risk management measures;
- Complete security training for ADHHS workforce members;
- Implement device and media controls; and
- Address device and media encryption.
The Resolution Agreement require ADHHS to revise and submit to OCR its policies and procedures relating to access to e-PHI, specifically with regard to tracking and safeguarding devices containing e-PHI, encryption, disposal and re-use of such devices, responding to security incidents, and appropriately applying sanctions for violations. In addition, ADHHS is required to conduct a risk assessment of the confidentiality, integrity and availability of e-PHI, and implement security measures sufficient to reduce risks and vulnerabilities identified. The Resolution Agreement also requires ADHHS to provide specific training on the new policies.
We all know the considerable security risks that are accompanied by use of unencrypted flashdrives, laptops and other portable devices and media by employees, residents and other workforce members -- now with a hefty price tag of $1.7 million. Even for entities that have policies and procedures in place prohibiting use of such unencrypted devices, or that implement software that automatically encrypts any information saved to such devices, clearly communicating and enforcing these and the entity's other security policies and procedures is critical to avoiding security breaches and defending against potential OCR audits.
While encryption isn't per se required to be implemented by HIPAA, it is an "addressable" implementation specification of the Security Rule. This means that you must assess whether encryption would be "reasonable and appropriate" for ePHI "at rest" and in transmission, and if not appropriate, clearly have in place alternative safeguards and mechanisms to secure electronic PHI. It has become all too clear that not encrypting flashdrives, laptops, hard drives and other devices and media that can potentially leave the safety of your facility can not only result in a reportable security breach, but also some serious explaining to OCR when it comes knocking on your door. And remember, if a security incident occurs and the information that was stored or transmitted was encrypted, you are likely not required to notify patients that a security breach has occurred.
To help assess whether your security management process will stand up to OCR review, keep an eye out for our next post reviewing the the newly released OCR Audit Protocol for the HIPAA performance audits.