The Alaska Department of Health and Human Service, the state’s Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  According to a press release issued by the Office of Civil Rights (OCR), an employee of the Alaska Medicaid agency had an unencrypted flashdrive possibly containing PHI stolen from his car in October 2009.  The agency promptly reported the breach to OCR, which began an investigation in January of 2010.

According to the Resolution Agreement, OCR found that the agency failed to:

  • Complete a HIPAA risk analysis;
  • Implement sufficient risk management measures;
  • Complete security training for ADHHS workforce members;
  • Implement device and media controls; and
  • Address device and media encryption.

In addition to the $1.7 million settlement payment, the Resolution Agreement requires the agency to:

  1. Revise its policies and procedures regarding: a) access to e-PHI, specifically tracking and safeguarding devices containing e-PHI, encryption, disposal and re-use of such devices; b) the agency’s response to security incidents; and c) appropriately applying sanctions for violations;
  2. Conduct a risk assessment of the confidentiality, integrity and availability of e-PHI;
  3. Implement security measures sufficient to reduce the risks and vulnerabilities identified;
  4. Submit its revised policies and procedures to OCR; and
  5. Provide specific training on the new policies to its workforce members.

Our Insight.  Your Advantage.  While encryption isn’t per se required under HIPAA, in our experience, not encrypting flashdrives, laptops, hard drives and other devices makes it very difficult, if not impossible, to defend against OCR audits.  One of the keys to avoiding security breaches and defending against potential OCR audits is to: 1) have policies and procedures in place prohibiting the use of unencrypted devices (or using software that automatically encrypts information saved to such devices); and 2) clearly communicate and enforce the policies.  Remember –  if a security incident occurs and the portable electronic storage device was encrypted, you are likely not required to notify patients that a security breach has occurred and will be in a much better position to successfully defend against an OCR audit.