Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

HIPAA Enforcement Heats Up in the Coldest State

216
views

Published on

The June 26th news from HHS announcing a $1.7 million settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is.

The June 26th news from HHS announcing a $1.7 million settlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is.

Published in: Health & Medicine

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
216
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. HIPAA Enforcement Heats Up in the ColdestStateJune 27, 2012The Health and Human Services (HHS) Office of Civil Rights (OCR) has increased enforcement actions over the pastseveral months, including reaching several breach resolution agreements with covered entities. OCR has also informed anadditional 90 organizations of its intent to conduct HIPAA security audits before the end of the year.None of this is particularly surprising. For almost a year now, OCR has signaled that they intend to take their HIPAAenforcement responsibilities seriously and there certainly have been no shortage of breach incidents for them toinvestigate. Since the fall of 2009, major PHI data breaches (defined as those affecting 500 records or more) haveimpacted 20,066,249 individuals.The June 26th news from HHS http://www.hhs.gov/news/press/2012pres/06/20120626a.html announcing a $1.7 millionsettlement and resolution agreement with the state of Alaska’s Medicaid agency, shows just how serious OCR is. In thepress release OCR Director Leon Rodriguez states“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controlsto safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency andwe expect organizations to comply with their obligations under these rules regardless of whether they are private orpublic entities.”The investigation began when Alaska’s Health and Social Services Department submitted a breach report on October 30 th,2009, reporting the potential breach of electronic protected health information as a result of a USB drive stolen from anemployee’s car. This incident occurred shortly after the HITECH Breach Notification Rule first went into effect. To itscredit, even though the State agency was not certain the USB drive contained protected health information, it reported thebreach and estimated 501 records had possibly been compromised.But the OCR investigation that followed found that the Alaska department did not have adequate policies and proceduresin place to safeguard PHI. It also had not completed a security risk analysis nor implemented sufficient risk managementmeasures. The investigation also concluded that security training was needed for the agency’s employees and moreattention needed to be paid to controls on media and other portable devices, including a consideration of encryption ofdata on such devices.This is a painful illustration of the both the seriousness of protecting patient health data and the challenges that healthcareorganizations face in comprehensively addressing IT security risk. The risks of data breach include both overt threats andthe possibility of human error or neglect. Organizations need to comprehensively and regularly conduct risk assessmentsand then mitigate technical vulnerabilities, other deficiencies, compliance gaps, and inadequate procedures. And then theyshould do it again. Security is a process, not a one-time project. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM