Precipitating Event: USB hard drive stolen from employee car.
The Office for Civil Rights (OCR) received a Breach Report from the State Health Agency dated October 30, 2009. The document indicated that a portable electronic storage device potentially containing protected health information (PHI) was stolen from the vehicle of a State Health Agency computer technician on or about October 12, 2009.
On January 8, 2010, OCR notified the State Health Agency that it will be conducting an investigation. On various dates, OCR received State Health Agency's written responses, policies, procedures, information regarding training activities, and documentation related to compliance with the Privacy and Security Rules. On June 17-18, 2010, OCR conducted a site visit to interview selected State Health Agency workforce members. OCR also received information from State Health Agency through email and telephone contacts throughout this investigation.
As a result of its investigation, OCR determined that State Health Agency had not 1) completed a risk analysis; 2) implemented sufficient risk management measures; 3) completed security training for State Health Agency workforce members; 4) implemented device and media controls; and 5) addressed device and media encryption.
minor modifications for readibility
"OCR conducted a site visit to interview selected State Health Agency workforce members"
Federal investigators flew to the state, drove to the site, and knocked on the door. Beyond the confusing nature of HIPAA, perhaps there was some beligerence in the state health agency. Not unusual for state's rights proponents to ignore the feds. But it is hard to ignore them when they are at the front door and they will be there all week investigating.
Ask Yourself: Are turf battles and political beefs worth $1.7 million in fines and three year HIPAA probation?
"(had not) implemented device and media controls and (had not) addressed device and media encryption"
'Encryption anxiety' is a common technical concern. ClinicNerds will help NerdSecure (encrypt) any computer or computer device.
Ask Yourself: Do you have an inventory of every computer and computer device?
"received a Breach Report .. dated October 30, 2009"
The precipitating incident occurred in October 2009. The resolution agreement was signed June 2012. The probation lasts 3 years to June 2015. These investigations and probations drag on for years.
Ask Yourself: Could your small practice survive with federal investigators disrupting your business for 5+ years?
A USB hard drive, about the size of a wallet, was stolen and ended up costing $1.7 million in fines. That is a very expensive hard drive.
Taking an inventory of every computer and computer device is a task in our risk assessment in the HIPAA Lifeguard app. You have to know what you have so you know what you are protecting.
It is strange that this state health agency had not even bothered to conduct a risk analysis. Maybe they were stretched thin, overworked, understaffed, remote outpost...
This case underscores the confusing nature of HIPAA explanations. The state government, which also has HIPAA enforcement authority, was not even HIPAA compliant.
HHS at the federal level had to investigate and fine it's little brother HHS at the state level. The Department of Health and Human Services (HHS) exists at the federal level and the state level. Most of the United States have their own state version of HHS. This case is a bit unusual in that the federal HHS investigated and fined a state HHS. So the state paid a fine to the feds. Then the feds turn around and give subsidies to the states. Odd use of our tax dollars.