The federal Department of Health and Human Services (HHS) recently announced that it has entered into a resolution agreement with the Alaska Department of Health and Social Services (which operates the Alaska Medicaid program) to settle potential violations of the HIPAA security rule.
The underlying facts are painfully simple. [read: Yes, this could happen to you.] A computer technician for the Alaska agency had a USB thumb drive stolen from the technician's car. The thumb drive potentially contained electronic protected health information about individuals covered through the Alaska Medicaid program. (There was no evidence that data on the drive had, in fact, been accessed.) The agency reported the potential breach to HHS, as required under the HITECH breach-notification rules. HHS began its investigation within three months after the notification.
To resolve this potential violation of the HIPAA security rule, the Alaska agency agreed to pay a "resolution amount" of $1.7 million and enter into a corrective-action plan that, among other things, allows HHS to closely monitor the agency's HIPAA compliance for the next three years.
Although a state Medicaid program operates on a much larger scale than a private employer's group health plan, this investigation and resolution agreement show that HHS will take HIPAA compliance by health plans just as seriously as compliance by health-care providers and other covered entities. It is imperative that health plans have proper privacy and security policies and procedures in effect and assess security risks. Those policies, procedures, and assessments must be periodically reviewed and updated to ensure they continue to be appropriate. And, as this case highlights, the breach-notification rules raise the stakes even further by tipping off HHS to specific potential problems.