A number of data breaches have been reported in the recent past, and every breach incident has a lesson to teach organizations that do not take HIPAA compliance seriously. This holds true even with the recent breach involving the Alaska Department of Health and Social Services (DHSS). The investigation in this case was triggered by the report of a stolen USB storage drive which may have contained records of nearly 501 Medicaid beneficiaries. The Alaska DHSS reported the incident in compliance with the HIPAA breach notification rule, following which OCR investigated the incident. Although the breach incident was a relatively small one, Alaska DHSS has to now pay a substantial amount as penalty for non-compliance with HIPAA.
Alaska DHSS has agreed to pay a sum of $1.7 million as settlement, which is much higher than the settlement with BlueCross BlueShield of Tennessee for a breach affecting about 1 million individuals. Susan McAndrew, the deputy director of health information privacy at OCR said that this enforcement action against Alaska DHSS is not entirely focused on the stolen device but rather on the findings drawn from the investigation, which revealed that Alaska DHSS did not have adequate policies and procedures governing the safety of electronic health information. She said that the settlement amount reflects the number of potential violations and the period of time over which they occurred.
The investigation also revealed that DHSS had taken insufficient risk management measures and had not completed risk analysis. It was also found that the organization had not completed security training for employees, had inadequate device and media controls, and had not addressed device and media encryption requirements as per the HIPAA security norms. So, other than paying the penalty amount, Alaska DHSS is also required to take corrective action including reviewing, revising, and maintaining policies and procedures to ensure compliance with HIPAA norms.
Alaska DHSS however does not admit liability or wrongdoing in this case, and contends that contrary to what has been portrayed by OCR, a risk assessment was actually conducted, although it is several years old. Bill Steur the Commissioner of Alaska DHSS says that OCR’s definition of ‘current’ is not very clear. However in the light of OCR’s concerns a new risk analysis is now underway.
The Big Lesson
This incident is yet another wake-up call for all those entities that have not been giving top priority to conducting periodic risk assessments, or documenting evidence for the same. If an organization has been conducting risk assessments regularly, but does not have the necessary documented evidence, it would still be considered a major HIPAA violation. The monetary settlement in this case is significantly higher than in most other cases because this case has been considered by OCR as ‘willful neglect’.
Training employees, conducting risk analysis, and documenting evidence for compliance may all be demanding tasks. But it is important to remember that the smallest negligence or failure in this regard can threaten the very survival of a business, which is why adopting a solution like SecureGRC is all the more essential. With its comprehensive security capabilities SecureGRC can make HIPAA compliance unimaginably simple.
RE:A Big Lesson to Learn from the Alaska DHSS Breach | Aegify In it something is and it is good idea. I support you.
Валок лапа Lemken