The Alaska Department of Health and Social Services has agreed to pay more than $1.5 million to settle a breach incident involving issues of compliance with the federal health care privacy law, HIPAA. Although the investigation into the breach first began with the familiar scenario of a USB-connection storage device being stolen, it quickly developed into much more due to federal findings that IT risk management procedures were deficient in several respects.
The initial issue of the stolen device involved the potential disclosure of slightly more than 500 individuals receiving Medicaid benefits. According to Susan McAndrew, who serves as the deputy director of health information privacy at OCR, however, the "enforcement action does not specifically focus on the stolen portable electronic device, but rather the findings of the investigation. Alaska's breach notification opened an investigation, during which OCR found that DHSS did not have adequate policies and procedures in place to safeguard electronic protected health information."
Many of the specific deficiencies identified by the investigation related to IT security lapses. For example, Alaska DHSS was critiqued for lacking a thorough risk analysis and for failing to provide for the encryption mandated by the HIPAA Security Rule. Other deficits included risk management procedures deemed insufficient and the lack of an adequate program of training for members of the DHSS workforce.
The fine, according to McAndrew, reflects not only the number of health records that could potentially have been disclosed because of these deficiencies, but also the length of time during which the violations were happening. Nor was the monetary fine the only consequence handed down to DHSS; the department will also be required to complete a series of corrective measures that will assist them to review and revise their own procedures so that HIPAA Security Rule compliance can be much better going forward.
The fact that the fine was based on the long-standing nature of some of the violations should serve as a call to action for any organization currently aware of a need to make improvements in the way they handle IT security related to HIPAA compliance. It is far better to adjust policies and procedures in advance of a breach. Not only will this help to reduce the likelihood of an investigation, but it can also pay significant dividends in terms of protecting a small company's good name in an industry where reputation can be paramount.
One way to improve IT security outcomes is to move to a managed security model. Such models allow a small business to move from a tiny IT department composed of a few people to having access to the expertise and knowledge base inherent to an entire IT company.