Leon Rodriguez, Director for the Office Of Civil Rights is sending out a strong message to both private and public Covered Entities of all sizes - comply with privacy and security policies set forth by HIPAA/HITECH rules or you could face substantial financial penalties.
It was recently announced that Alaska DHSS (Department of Health and Social Services) has agreed to pay a $1.7 million dollar fine for a HIPAA breach that involved an unprotected USB drive that may have contained ePHI (electronic protected health information) being stolen from the car of a DHSS employee.
In addition to the fine, the public agency must also follow a corrective action plan to maintain policies and procedures to ensure that HIPAA privacy and security requirements are met going forward.
This is the first time that OCR has taken action against a State Agency for HIPAA/HITECH violations.
In a Press Release Rodriguez said, “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices. This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
In other HIPAA related news, the OCR recently released their findings on the first 20 HIPAA audits conducted by KPMG and found that Level 4 Covered Entities were lagging behind in the adoption of using Electronic Health Records and using encryption technology to secure patient data - which is key to adhering to regulations set forth by the Office Of Civil Rights.
If you are a public or private Covered Entity that isn’t currently using encryption to secure ePHI records, we can help! Please fill out the following form and a representative will contact you shortly with more information about our SaaS based Encryption solution that can be used to secure large files, Email correspondence and removable media such as USB drives, CD’s, DVD’s and Blu-Ray discs that are being used to store or share sensitive information with clients, partners, colleagues and business associates.