July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies.
Yesterday the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) handed down another significant sanction when the Alaska Department of Health and Social Services settled their alleged HIPAA security violations for a $1,700,000 fine in addition to agreeing to implement a much more effective information security and privacy management program, as outlined in the Resolution Agreement.
OCR Director Leon Rodriguez provided a statement that shows why all types of organizations, even this state agency, of all sizes must comply with HIPAA and HITECH requirements:
“This is OCR’s first HIPAA action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
An excerpt from the Resolution Agreement points to some of the primary issues:
“Alaska also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information. OCR’s investigation followed a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.”
When you read the public notice along with the Resolution Agreement, note the emphasis on
- Policies and Procedures;
- Mobile device management, including inventories and tracking;
- The need for encryption;
- Performing regular risk assessments that are supported by sufficient risk management practices; and
- Providing regular training and ongoing awareness communications to all workers.
They pointed specifically to the following requirements as part of their resolutions for what the Alaska Medicaid office must implement:
Minimum Content of the Policies and Procedures
1. Procedure for tracking devices containing e-PHI;
2. Procedure for safeguarding devices containing e-PHI;
3. Procedure for encrypting devices that contain e-PHI;
4. Procedure for disposal and/or re-use of devices that contain e-PHI;
5. Procedure for responding to security incidents; and
6. Procedure for applying sanctions to work force members who violate these policies and procedures.
It is noteworthy that many of their requirements for resolution go beyond the explicitly stated items within the HIPAA and HITECH regulatory text. When regulatory agencies make such requirements, they are subsequently then pointed to and become de facto standards for expected information security practices in all types of organizations.
Information security and privacy program basics
Based on this case, all types of organizations, of all sizes, would be wise to do the following:
- Perform a risk assessment if you haven’t done one for a year, or if you have had a significant change that has occurred more recently within the business.
- Implement ongoing supporting risk management measures, such as regular audits, doing work area security and privacy reviews, and implementing appropriate risk mitigation technologies, just to name a few measures.
- Provide periodic information security and privacy training to your personnel, supported by ongoing awareness communications. As part of your education program you should provide training to all workers, and obtain verification from all workers that they have taken training. Do not allow workers to access or use personal information, such as PHI, until they have taken the training.
- Implement mobile computing device and media controls, including tracking, inventories, encryption, physical controls and logical controls.
Specific actions, as required by this Resolution, are also appropriate for all types of businesses to have in place.
1) Implement and/or update information security and privacy policies and procedures, appropriately customized to your specific organization, and ensure all personnel have read them, understand them, follow them and have ongoing access to refer to them.
2) Obtain signed compliance statements certifying workers have read, understand, and shall abide by such policies and procedures.
3) Policies and procedures must include, but not be limited to, the following:
- Procedure for tracking devices containing e-PHI;
- Procedure for safeguarding devices containing e-PHI;
- Procedure for encrypting devices that contain e-PHI;
- Procedure for disposal and/or re-use of devices that contain e-PHI;
- Procedure for responding to security incidents; and
- Procedure for applying sanctions to work force members who violate these policies and procedures.
4) Maintain a log of all information security and privacy activities performed to demonstrate compliance. Retain all related compliance documentation for at least six years.
Bottom line for all organizations, from the largest to the smallest: It is wise to learn from the pain of others. All organizations, in all industries, need to establish a comprehensive information security and privacy compliance program that includes the basic Cycle of Compliance components of establishing policies and procedures that are appropriate for the applicable organization, providing regular training and ongoing awareness, and doing periodic risk assessments that support a full risk management program.
This post was written as part of the IBM for Midsize Business (http://goo.gl/VQ40C) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Tags: Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training