Inside a HIPAA Breach InvestigationAlaska Official Offers Lessons Learned
Organizations must be proactive in their HIPAA compliance efforts in order to avoid large penalties like the $1.7 million settlement that Alaska Department of Health and Social Services recently paid, says the agency's chief security officer Thor Ryan.
"Any steps you're doing for compliance, be expedient," Ryan urges. "With the benefit of hindsight, we would've saved millions of dollars" in settlement and other costs if the department had taken several steps sooner - including making widespread use of encryption, updating a risk assessment and ramping up HIPAA compliance training.
Alaska DHSS paid a $1.7 million settlement in June to the U.S. Department of Health and Human Services' Office for Civil Rights following a HIPAA investigation triggered by the theft of an unencrypted storage drive that potentially contained data on 500 Medicaid beneficiaries.
The Alaska agency was half-way through encrypting all its PCs as well as mobile computing and storage devices at the time of the incident, Ryan notes in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee [transcript below.]
Ryan stresses the value of widespread use of encryption and the key lesson is to take ongoing action to comply with HIPAA and carefully document all those steps.
In the interview, Ryan also describes:
- Why the department was surprised by the resolution agreement;
- How the department is complying with details of an OCR-approved corrective action plan. This includes the rollout of a learning management system to support HIPAA compliance training;
- What it's like to undergo an OCR investigation. In investigating HIPAA compliance in the Alaska department, OCR officials conducted one-on-one, in-person interviews with about a dozen staffers.
Ryan has served in a number of roles within the State of Alaska over the last 12 years. Before being named Alaska DHSS information security officer in 2008 and then chief security officer in 2011, Ryan held a variety of IT positions at various Alaska state agencies. Those positions included server administrator, security administrator and security analyst.MARIANNE KOLBASUK MCGEE: Can you tell us briefly about your organization and your role?
THOR RYAN: I serve as the chief security officer for the state of Alaska Department of Health and Social Services. Our mission is to promote and protect the health and well being of Alaska. We have 3,600 staff providing services in over 70 locations, which include a few cities and many rural towns and villages scattered over an area two and a half times the size of Texas. Most of these locations are only accessible by plane or boat.
MCGEE: Can you tell us a little about the OCR investigation and what that was like?
RYAN: The OCR investigation was punctuated. There were a number of fact-finding questions where they would send a list of questions and expect a list of detailed answers. We had about six or seven of those back and forth. They sent some investigators onsite to interview our staff, but there were many, many months of no communication from the Office of Civil Rights throughout this process. I would say that when we received a corrective action plan and resolution agreement it was a bit of a surprise.
MCGEE: What was that process like? Did they interview people? Did they go through paperwork? Tell us a little bit about that?
RYAN: They wanted to know policies and procedures. They wanted detailed information. They wanted logs from different devices that we had. They went into a level of detail that was honestly quite surprising. They interviewed people in person alone, and they interviewed me, our HIPAA privacy officer and about 12 other staff. And as they went through each one, they would spend an hour with each person and go through any number of questions to validate whether some of the procedures you had in place were actually effective. They would ask about training and when was the last time you had it. They would ask basic HIPAA questions to see if you understood HIPAA. They would ask if you had any concerns or questions, and they were very professional.
MCGEE: What are some of the lessons that you and your organization learned through the HIPAA investigation and settlement that you think other health entities should be aware of?
RYAN: Be proactive. The steps you're working on now or planning to do to improve compliance, do that expediently. We were more than halfway through our encryption project when an unencrypted hard drive was stolen. With the benefit of hindsight we could have saved millions of dollars. Be proactive in status updates to the Office for Civil Rights. Let them know how you're progressing. I really recommend following up phone calls with an e-mail summarizing the discussion. All decisions and communications need to be documented in writing.
MCGEE: In the resolution agreement between Alaska and HHS, HHS listed a number of corrective actions that needed to be performed by Alaska to ensure compliance to HIPAA. How is that going? What are some of the things that you're doing to comply?
RYAN: We're progressing on all fronts. We will be submitting two updated [requests for proposals] early next week based on the latest OCR guidance to address the risk analysis and monitoring for one of the RFPs, or the risk analysis and risk management plan and monitoring for three years for the other RFP. A number of the other items identified in the [agreement] have already been done or are part-way done. So, we're well in line to meet the requirements of the corrective action plan. We have an online learning management system we're leveraging for the improvements in our training process and are procedures already existed so we're good to go.
MCGEE: Risk assessment, HIPAA training, device encryption - those were some of the things that OCR said was lacking at Alaska DHSS. How are you addressing those issues? Are you changing processes? Are you adding staff? How are you handling that?
RYAN: We have added staff. We have an additional person on board under security architect. I think the important context here where OCR identified these issues is that they felt they were lacking at the time of the theft of the hard drive. And so we have a learning management system to address the training issue. We now conduct annual HIPAA training through that LMS. We have those RFPs that are hitting the street. Our device encryption project was already part-way done at the time, more than halfway done. We had identified the issues that OCR had addressed. We just hadn't fully realized them at the time. It was validation in the approach that we were taking and in the compliance measures that were already under way.
MCGEE: Are there any misconceptions about the HIPAA case and settlement with OCR that you would like to address?
RYAN: Absolutely. Entering into the agreement wasn't an admission of liability. We don't think we were in violation of the privacy rule or the security rule. However, it was the least expensive way for us to proceed. We know that when it comes to Medicaid, the original press release from OCR indicated Medicaid data [on the stolen device] and that was erroneous. No Medicaid data was involved. In fact, we're not even sure that any data was involved at the particular time of the theft of the hard drive. There was no proof that any data existed on that. However, there was the possibility that data may have existed on it.
We don't regret reporting [the breach]. We did the right thing. When in doubt, report is what we follow. [That] was the advice that we had from our legal counsel and we will continue to do that, but the statement that Medicaid data was at risk was not accurate. We did have a risk assessment. It was a few years old. However, OCR had never identified the definition of what a current assessment is. We had previously asked for clarification on that and they said there was no definition available. So to be found that we missed a definition that wasn't defined was interesting. We had a number of risk management measures in place. We were moving forward with them and so it was a little difficult to understand why we received this corrective action plan and resolution agreement from the Office for Civil Rights.
Besides that, I can say that overall the resolution agreement and corrective action plan has only crystallized the efforts that we have here at Health and Social Services to further comply with HIPAA and HITECH and to protect the data of our citizens.