You might consider your organization careful when protecting personal health information but are you sure that you have met all of the requirements of the Health Insurance Portability and Accountability Act (HIPAA)? How would your organization rate in an investigation by the Office of Civil Rights (OCR)?
The OCR recently conducted an investigation of the Alaska Department of Health and Human Services (DHHS) when a USB hard drive was stolen from the vehicle of an employee. OCR discovered that DHHS did not have sufficient polices and procedures in place to safeguard electronic Personal Health Information. Additionally, DHHS failed to meet many of the requirements of the HIPAA Security Rule including addressing device and media encryption, completing a risk analysis and security training for its workforce members, and implementing sufficient risk management measures and media controls.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
The DHHS will pay the U.S. Department of Health and Human Services’ $1.7 million to settle potential violations of the (HIPAA) Security Rule. Alaska has agreed to take corrective action to improve polices and procedures to safeguard the privacy and security of its patients’ protected health information.
Being a government agency doesn’t protect you from the rules. An investigation can occur at any time. Ensure that you are aware of the requirements of HIPAA and that your workers are properly trained. You can’t always protect information from a simple car burglary. But you can be prepared in case it happens. Violating HIPAA will not only cost you money. It can cost you your reputation.
For more on this story:
