Theft of USB Flash Drive Results in $1.7 Million HIPAA Security Settlement | Practical Law

Theft of USB Flash Drive Results in $1.7 Million HIPAA Security Settlement | Practical Law

On June 26, 2012, the Department of Health and Human Services (HHS) settled its first enforcement action against a state agency under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for $1.7 million. The settlement also includes a corrective action plan requiring the Alaska Department of Health and Human Services to review, revise and maintain policies and procedures to ensure compliance with the HIPAA security rules.

Theft of USB Flash Drive Results in $1.7 Million HIPAA Security Settlement

Practical Law Legal Update 6-520-0996 (Approx. 3 pages)

Theft of USB Flash Drive Results in $1.7 Million HIPAA Security Settlement

by PLC Employee Benefits & Executive Compensation
Published on 27 Jun 2012USA (National/Federal)
On June 26, 2012, the Department of Health and Human Services (HHS) settled its first enforcement action against a state agency under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for $1.7 million. The settlement also includes a corrective action plan requiring the Alaska Department of Health and Human Services to review, revise and maintain policies and procedures to ensure compliance with the HIPAA security rules.
On June 26, 2012, HHS announced that it had settled an enforcement action under the HIPAA Security Rule for $1.7 million with the Alaska Department of Health and Social Services (Alaska DHSS). HHS began an investigation of the Alaska DHSS after receiving a breach report under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The report indicated that a portable USB hard drive possibly containing electronic protected health information (ePHI) was stolen from an employee's vehicle. The investigation revealed that the Alaska DHSS had:
  • Inadequate policies and procedures in place to safeguard ePHI.
  • Failed to complete a risk analysis, implement sufficient risk management measures, complete security training for its workforce, implement device and media controls, and address device and media encryption, as required under the HIPAA security regulations.
As part of the settlement, the Alaska DHSS must comply with a corrective action plan that requires it, among other things, to:
  • Develop, maintain and revise its written policies and procedures for complying with HIPAA's privacy and security rules, and submit these policies to HHS for approval. The policies must contain procedures for:
    • tracking, safeguarding, encrypting, disposing of and re-using devices that contain ePHI;
    • responding to security incidents; and
    • sanctioning employees who violate the policies.
  • Distribute and update its policies and procedures to all employees who have access to ePHI.
  • Train all employees with access to ePHI.
  • Conduct risk analyses and implement security measures to manage risks.

Practical Implications

Although this enforcement action involved a state agency, the theft that led to HHS' investigation could just as easily have occurred under a private employer-sponsored health plan. The settlement is therefore a good reminder to health plans of the kinds of specific policies and procedures that should be in place to safeguard the security of ePHI. The settlement also underscores the need for HIPAA covered entities to perform a risk assessment of potential risks to the confidentiality, integrity and availability of ePHI held by the covered entity.
In another recent HIPAA development, the Office of Management and Budget (OMB) indicated that it has extended its review of omnibus guidance addressing, among other things, HITECH privacy and security, breach notification and enforcement. It is unclear when these rules, which were originally expected to be finalized in June 2012, will be issued.
For more information on the HIPAA Security Rule, see Practice Note, HIPAA Security Rule.