The Alaska Department of Health and Social Services (DHSS) was handed a $1.7 million fine by the Office of Civil Rights (OCR). The fine is one of the largest imposed on an organization. A closer look reveals why the fine was so large. Healthcare Info Security gives an in-depth look at the fine.
The Alaska agency lost a USB drive with 501 patient’s information. This security breach led to an investigation by OCR. During the investigation numerous HIPAA violations were uncovered. Based on the severity of the fine it appears that OCR found the Alaska agency to be in “Willful Neglect” of the HIPAA regulations. OCR’s findings include:
Lack of Current Risk Assessment
OCR found that DHSS had not performed the required Risk Assessment. DHSS contends that they have performed a Risk Assessment but it was not current.
Takeaway: The HIPAA Security Rule does not define the frequency that an organization needs to perform the required Risk Assessment. This case shows that it is not good enough to do a risk assessment once and not review or update the findings. Remember, a Risk Assessment is the basis for understanding how patient information is being protected and should be used to implement additional security measures. If you don’t perform a Risk Assessment you may not realize the risks to patient information and you may fail to implement the safeguards that should be in place to protect the data. Although the HIPAA regulations do not specify the frequency of performing the Risk Assessment, industry best practices say that Risk Assessment should be done annually or every 2 years at the latest.
Lack of Policies and Procedures
The OCR investigation also found the DHSS did not have the required policies and procedures in place. DHSS states that they had policies and procedures but the investigation showed that this was not the case.
Takeaway: Make sure you have written policies and procedures that are clearly documented. In addition, having the policies and procedures in a binder sitting on a bookshelf that no one has read, opens the organization up to having to defend that they indeed have the required policies. Employees need to understand the policies and procedures AND they need to be trained on them as well.
Lack of Security Training
OCR found that DHSS failed to train their employees on HIPAA security.
Takeaway: All employees and workforce members are required to have HIPAA training in both the Privacy and Security Rules. The training should correspond to the written policies and procedures that have been implemented. In addition, employees should be given security reminders that reinforce the training and remind them about how to properly secure patient information.
The fine that the Alaska DHSS received shows that ignoring HIPAA regulations may lead to large fines being handed out by OCR. An organization may feel that the chance of being audited by the random OCR HIPAA audits is very small. Organizations should keep in mind that in addition to the random audits, even small security breaches can lead to investigations. If an organization does not have an up to date Risk Assessment, has not implemented the required policies and procedures and failed to provide employee training, there is a good chance that they may receive a large fine by OCR. Implementing these items is relativity inexpensive and can lower a potential OCR fine. Everyday OCR is proving that they are serious about HIPAA enforcement. The days of ignoring HIPAA regulations are over. Take the steps to ensure your organization is compliant now!