07.02.2012 $1.7 Million HIPAA Settlement Reinforces Importance of Effective Information Governance of Electronic PHI (“ePHI”)

In the first HIPAA enforcement action brought against a state agency, the United States Department of Health and Human Service (“HHS”) announced on June 26, 2012 that it had entered a Resolution Agreement with Alaska’s Medicaid program (“Alaska”).  Under the agreement, Alaska agreed to pay a $1.7 million penalty and comply with a corrective action plan (“CAP”) to settle what HHS described as “possible violations” of HIPAA that came to light following the theft of a portable hard drive from a car owned by an agency employee.  Although Alaska could not say at the time of the theft – or apparently at any time thereafter – that the hard drive actually contained ePHI, the theft nevertheless triggered a breach notification under the HITECH Act and a resulting investigation by HHS. 

The fact that this settlement resulted from the theft of a single hard drive that could not be definitively said actually to contain any ePHI provides an object lesson of the dangers and risks associated with poorly-governed electronic data and devices in a health care setting, and concomitantly highlights the need for any entity dealing with ePHI to implement effective information governance practices to prevent a similar loss or theft.  Indeed, even though HHS’s investigation does not appear to have uncovered any evidence of an actual unauthorized disclosure, it did reveal evidence of numerous inadequacies in Alaska’s handling of ePHI and devices on which ePHI was stored, including inadequate encryption of data and implementation of controls over portable devices and media.  It is important to note that Alaska entered the settlement in order to resolve these compliance issues.  

Given the rapid increase in the electronic storage of PHI over the past decade and the growing use of portable and semi-portable electronic devices in health care settings, the privacy and security issues that cost Alaska $1.7 million are in no way unique to Alaska.  Rather, in a world awash with smartphones, thumb drives, portable hard drives, and technological health care solutions, there are myriad ways in which PHI and ePHI can travel outside of a secure environment, resulting in an unauthorized disclosure and a reporting obligation under the HITECH Act.  Indeed, a wide variety of health care organizations are finding themselves in situations similar to Alaska in which they have to grapple with privacy and security breaches that originate in often-overlooked quarters of their IT infrastructure.

Covered entities and business associates alike can mitigate these risks by conducting a detailed information governance review and using the results to implement policies and procedures to ensure that any use of technology within their organization does not turn into a leaky sieve through which ePHI can easily slip.  The first step in this process involves developing a clear understanding of what ePHI an organization is creating, how that ePHI is being created, how it is being used, where it is being stored, who is accessing it, how they are accessing it, and what safeguards control that access.  With these facts in hand, information governance policies and procedures can be crafted to ensure compliance with HIPAA and mitigate the risks associated with ePHI.     

Fortunately, the CAP with which Alaska agreed to comply to resolve the HHS enforcement action provides a basic framework for entities to follow when crafting HIPAA-compliant information governance policies to address the handling of devices that create or store ePHI.  Specifically, in requiring that Alaska update its privacy and security policies, HHS mandated that – at a minimum – the revised policies contain specific procedures to govern:

  1. tracking devices containing ePHI;
  2. safeguarding devices containing e-PHI;
  3. encrypting devices that contain e-PHI;
  4. disposing and/or re-using devices that contain e-PHI;
  5. responding to security incidents; and
  6. applying sanctions to work force members who violate these policies and procedures.

Any entity that deals with ePHI would be well advised to review the Alaska CAP and ensure that its own policies accord with the compliance framework set forth therein and specifically include the device-related procedures listed above. 

For more information about this topic, you may contact the author or any member of the Williams Mullen eDiscovery and Information Governance Team or the Williams Mullen Health Care Team.