Alaska Breach: Tip Of IcebergInvestigation Reveals Insufficient Risk Management, Controls
A federal investigation of a breach incident - even a relatively small one - can pave the way to a substantial payment if it uncovers a pattern of non-compliance with HIPAA.
That's the lesson in the recent case of the Alaska Department of Health and Social Services, which agreed to a $1.7 million settlement. Although the case was triggered by a stolen USB storage drive potentially containing data about 501 Medicaid beneficiaries, the payment was higher than in some other cases, including the settlement with BlueCross BlueShield of Tennessee tied to a breach affecting about 1 million individuals.
"The [Alaska] enforcement action does not specifically focus on the stolen portable electronic device, but rather the findings of the investigation," says Susan McAndrew, OCR's deputy director of health information privacy. "Alaska's breach notification opened an investigation, during which OCR found that DHSS did not have adequate policies and procedures in place to safeguard electronic protected health information."
Among OCR's findings, DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule, she says.
"The amount [of the settlement] is reflective of the number of potential violations and the period of time over which they occurred," says McAndrew.
In addition to the monetary settlement, Alaska DHSS is required to perform a list of corrective actions, including "reviewing, revising, and maintaining policies and procedures to ensure compliance with the HIPAA Security Rule."
New Risk Analysis Underway
In its resolution, Alaska DHSS does not admit any liability or wrongdoing. Furthermore, in a statement released by Alaska DHSS commissioner Bill Steur, the agency contends that, contrary to how OCR has portrayed the case, Alaska DHSS had conducted a risk assessment, but says that it was "several years old."
"It has not been clear in our dealings with OCR what the definition of 'current' is by OCR, or that there even is a definition," Steur says. "We have begun work on conducting a new risk analysis in light of OCR's concerns."
The Alaska case should be a wake-up call for other covered entities, including state health agencies, that they not only need to be on their toes in doing periodic risk assessments, but also in documenting that work, says Kate Borten, president of information security and privacy consulting firm, The Marblehead Group.
"Organizations often have no documentation of their assessments," she says. If you don't have formal security risk assessment reports, "you need to keep minutes and notes about what issues you've discussed and what you've done," she said.
The Alaska settlement was higher than many other HIPAA resolution agreements to date because circumstances of this case suggest "willful neglect," says Security consultant Rebecca Herold of Rebecca Herold & Associates suspects.
"Alaska DHSS had sent, multiple times, written responses, policies, procedures, information regarding training activities, and documentation related to compliance with the Privacy and Security Rules to the OCR indicating they had done these activities," says Herold. But the investigation by OCR found otherwise.
"By the Alaska DHSS not sufficiently mitigating the risks that likely led to the 2009 breach, even over a significant amount of time that was allowed before performing the review, and providing multiple written assurances to the OCR indicating such risk mitigation had occurred, this could have led to a 'willful neglect' determination, which would have resulted in the highest possible penalties," she says.
Still, while the Alaska DHSS case is a bit of an anomaly among HIPAA investigations so far, it isn't the only case that's resulted in a large monetary settlement relative to the number of individuals affected in a breach. Massachusetts General Hospital agreed in 2011 to pay $1 million related to an incident involving the loss of documents containing PHI of 192 patients of Mass General's Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.
One of the aspects of the Alaska case that got Borten's attention was the alleged lack of security training for state health agency staff.
"Training is cheap, and having no training is just disgraceful," she says.