Editor’s Note:  For more information about this story, please see FISMA Focus here.

From: Health Business Daily/Report on Patient Privacy

For months, maybe years, officials from the Office for Civil Rights (OCR) or consultants who work for them have repeated a single mantra when it comes to a basic building block for compliance with the security rule: Perform a risk analysis.

Maybe that lesson will sink in now that OCR has dinged a covered entity (CE) for an astonishing $1.7 million — its biggest settlement ever since the breach law went into effect — for what the government says were security rule failures, including a lack of a risk analysis, it discovered in the wake of a stolen portable hard drive.

But in a highly unusual turn of events in a case full of “firsts,” the state of Alaska’s Medicaid and social services agency, which paid the settlement amount, is pushing back. The state believes “no Alaskan’s personal information was on the [stolen] device,” Thor Ryan, chief security officer for the state’s Department of Health and Social Services, told RPP, adding that Alaska settled only to avoid a legal battle with HHS.

Additionally, Ryan contended the state doesn’t even know what the $1.7 million is based on. OCR’s previous record payment for a breach was $1.5 million, paid just three months ago by BlueCross BlueShield of Tennessee following the theft of 57 unencrypted hard drives containing Social Security numbers and other data for more than 1 million patients. That event occurred on Oct. 5, 2009, just a week before Alaska’s theft (RPP 4/12, p. 1).

In a two-and-a-half page rebuttal, complete with bullet points, issued a day after HHS’s June 26 settlement announcement, Bill Streur, the Alaska department’s commissioner, criticized everything from the headline on the news release to OCR’s finding that it had not completed a risk assessment.

According to the HHS press release, issued with the headline “Alaska Settles HIPAA Security Case for $1,700,000,” OCR’s investigation revealed “evidence that DHSS did not have adequate policies and procedures in place to safeguard [electronic protected health information.] Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA security rule.”

As a result of the settlement, Alaska was to make the payment and comply with a three-year corrective action plan, to be overseen by a monitor, that includes the implementation of various policies and procedures for protecting electronic health information.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR Director Leon Rodriguez said in the news release. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

State Took Actions After the Theft

The event that triggered OCR’s involvement is not in dispute. In fact, Alaska officials told the world about the theft themselves, as required by the breach rule, which went into effect Sept. 23, 2009. Alaska issued a public breach notification on Oct. 28, 2009, alerting HHS, the media and apparently any Alaskan “who uses various health and social services programs” that on Oct. 12, a portable hard drive was stolen from a departmental employee. OCR’s release said the item was in a vehicle.

The incident is listed on OCR’s list of breaches affecting 500 or more individuals; state officials entered “501” as the number. “[A]t the time we submitted this potential breach to OCR, their website only allowed numbers in that field,” Ryan explained. “It did not allow ‘unknown’ as an answer, and calls to OCR were met with the reply that no other method was allowed for us to submit our report.”

Alaska officials set up a hotline, “alerted stakeholders and partner organizations” and posted 20 frequently asked questions about the loss, explaining that, “It is unclear whether individual Alaskan’s personal information was on the stolen device. It is possible that no Alaskan’s personal information was on the device, but the department takes the security of such information very seriously and wanted to ensure that Alaskans were warned of the possibility.”

The state did not offer any credit monitoring or other services but explained how individuals could obtain such a report, how to read it and what steps they could take if they suspected identify theft.

At the time, state officials also explained they were “securing all current software applications and updating the security to ensure that no stolen employee information may be used to compromise these applications.” Further, they said, “DHSS has adopted the Department of Administration, Enterprise Technology Services standard security product, Guardian Edge, which will protect information stored on portable devices. DHSS has already deployed the solution to all devices used by IT Services staff.”

There Is No Definition of ‘Current’

In his rebuttal, Streur, Alaska’s health and social services commissioner, told his state’s side of the story. “During the investigation of a portable hard drive that was stolen in 2009, OCR alleged possible security rule violations by DHSS. I would like to assure Alaskans that we believe no individual’s personal data have been compromised and we take our security responsibilities seriously,” he said. “We completed a thorough investigation at the time of this incident, and have not discovered or received reports that personal information was accessed or used in any way. Our department had security measures in effect before this incident that helped keep our data safe. This resolution is the result of possible security violations, not the loss of actual personal information of Alaskans.”

Streur then said he needed to address “misleading statements…that have come about from a HHS press release.” The payment was not admission of liability or an admission that the state had violated either the privacy or security rules, Steur said. Signing off on the resolution agreement “is the only way for both parties to avoid costly and protracted litigation — a process with no guaranteed result and that could end up being more expensive for the state.”

Next Streur disputed three central conclusions by OCR regarding Alaska’s security efforts — beginning with the risk assessment issue. “OCR stated that DHSS did not have a current risk assessment. We did have a risk assessment, but it was several years old. It has not been clear in our dealings with OCR what the definition of ‘current’ is by OCR, or that there even is a definition. We have begun work on conducting a new risk analysis in light of OCR’s concerns,” according to the statement.

Secondly, “OCR suggested that DHSS did not have sufficient risk measurement in place. At the time of the investigation, DHSS had identified risk management measures, and was in the process of putting them in place,” he said.

Thirdly, Streur’s statement related, “OCR determined that DHSS did not have device and media controls and encryption in place. DHSS did have administrative controls in place in 2009, and had crafted security and privacy policies that were up for review to implement robust controls and encryption. Even before this investigation, the department had purchased encryption software and was partway through the encryption of all PCs and storage devices in the department. Currently, all computers and devices are protected with encryption software.”

Alaska, Streur said, “has completed the adoption of the security measures that were being implemented at the time of the OCR investigation. We have trained all department staff on privacy and security safeguards and ensured that our equipment is well protected.”

In response to RPP’s question of what the $1.7 million was based on, Ryan said, “OCR has not shared with us how they came to the $1.7 million amount.” When asked why the state had agreed to it, he repeated the passage in Steur’s statement that it was the “only” way to avoid costly litigation with an uncertain outcome.

Ryan said OCR never offered the option of agreeing to a corrective action plan without a payment or a payment lower than the $1.7 million.

RPP sought a response from OCR regarding Alaska officials’ comments, but did not hear back by press time.

OCR: State Had ‘Long-Standing’ Issues

“The enforcement action does not specifically focus on the stolen portable electronic device, but rather the findings of the investigation, which indicated fundamental and long-standing compliance issues,” Susan McAndrew, deputy director of OCR’s Health Information Privacy Division, said in a statement to RPP. The settlement amount “is reflective of the number of violations and the period of time over which they occurred,” McAndrew said.

The theft of the hard drive could have been a violation of Alaska’s Personal Information Protection Act if certain data were lost. But Ryan told RPP the state “has not faced any state investigations or sanctions over this incident. It is unclear whether any individual Alaskan’s personal information was on the stolen device. We believe that no Alaskan’s personal information was on the device, but the department takes the security of such information very seriously and wanted to ensure that Alaskans were warned of the possibility. We have not been told of any reported data loss as of today,” he said on June 28.