We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our cookie policy. Learn more here.Close Me
The U.S. Department of Health and Human Services Office of Civil
Rights (OCR) has announced the first HIPAA enforcement action OCR
has taken against a State agency, and the resolution agreement and
related corrective action plan carry important lessons for both
public and private entities. The Alaska Department of Health and
Social Services (Alaska DHSS), the State of Alaska's Medicaid
agency, has entered into a resolution agreement with OCR to settle
potential violations of the HIPAA Security Rule. Alaska DHSS has
agreed to pay the federal government $1.7 million and also take
corrective action to properly safeguard the electronic protected
health information (ePHI) of Alaska's Medicaid
beneficiaries.
The HIPAA violations covered under the resolution agreement were
identified following a breach report submitted by Alaska DHSS as
required by the Health Information Technology for Economic and
Clinical Health (HITECH) Act. The report indicated that a single
portable electronic storage device (USB hard drive) possibly
containing ePHI was stolen from the vehicle of an Alaska DHSS
employee in 2009. Over the course of the investigation, OCR
determined that Alaska DHSS:
Failed to implement adequate policies and procedures to
safeguard ePHI;
Had not completed an ePHI security risk analysis;
Did not have sufficient risk management measures;
Had not completed security training for its workforce
members;
Did not have electronic device and media controls; and
Failed to encrypt electronic devices and media as required by
the HIPAA Security Rule.
In addition to the $1,700,000 settlement, the agreement includes
a corrective action plan pursuant to which Alaska DHSS agreed to
develop and maintain policies and procedures to ensure compliance
with HIPAA's Security Rule. At a minimum, such policies and
procedures are to include:
Procedure for tracking devices containing ePHI;
Procedure for safeguarding devices containing ePHI;
Procedure for encrypting devices that contain ePHI;
Procedure for disposal and/or re-use of devices that contain
ePHI;
Procedure for responding to security incidents; and
Procedure for applying workforce sanctions in case of
policy/procedure violation.
This is the latest in a number of significant HIPAA Privacy and
Security Rule enforcement actions announced by OCR in recent
months. In April 2012, OCR entered into a settlement with a small
surgical center in Arizona called Phoenix Cardiac Surgery, P.C. In
that settlement, the surgical center agreed to pay $100,000 and to
implement policies and procedures to safeguard the protected health
information of its patients after it was reported that the surgery
center posted clinical and surgical appointments for its patients
on a publicly accessible Internet-based calendar. In March 2012,
OCR announced a settlement with Blue Cross and Blue Shield of
Tennessee (BCBST), under which BCBST agreed to pay $1.5 million and
enter into a corrective action plan to address its HIPAA compliance
issues after a report was received indicating that a number of
unencrypted BCBST hard drives that included patient records were
stolen from a leased facility in Tennessee.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
After a four-week retrial, a federal jury concluded on May 8, 2013 that Tuomey Healthcare System (Tuomey) violated both the Stark Law and the False Claims Act (FCA).
The Centers for Medicare & Medicaid Services (CMS) recently announced revisions to its State Operations Manual that change the complaint survey investigation process and typical timeline for resolution.
On May 21, 2013, the U.S. Department of Health and Human Services released details regarding a $400,000 settlement with Idaho State University for alleged violations of the HIPAA Security Rule.
On April 5, 2013, the Internal Revenue Service officially issued proposed regulations addressing the requirement under Section 501(r)(3) of the Internal Revenue Code that tax-exempt hospitals conduct community health needs assessments.
The U.S. Supreme Court heard oral arguments last month in the matter of Association for Molecular Pathology v. Myriad Genetics, a curious case that does not bode well for America’s biotechnology industry and could overturn 30 years of U.S. patent policy.
Earlier this month, the Lobbying and Advocacy Group’s Medicare Reimbursement and Health Policy Director, Anna Schwamlein Howard, partnered with Drinker Biddle attorneys Jeremy Shapiro-Barr and Douglas Swill on a client alert.
Recap Of Fenwick's 2013 Digital Health Investor Summit (Video Content)
