Alaska DHSS has agreed to pay a sum of $1.7 million as settlement, which is much higher than the settlement with BlueCross BlueShield of Tennessee for a breach affecting about 1 million individuals. Susan McAndrew, the deputy director of health information privacy at OCR said that this enforcement action against Alaska DHSS is not entirely focused on the stolen device but rather on the findings drawn from the investigation, which revealed that Alaska DHSS did not have adequate policies and procedures governing the safety of electronic health information. She said that the settlement amount reflects the number of potential violations and the period of time over which they occurred.

The investigation also revealed that DHSS had taken insufficient risk management measures and had not completed risk analysis. It was also found that the organization had not completed security training for employees, had inadequate device and media controls, and had not addressed device and media encryption requirements as per the HIPAA security norms. So, other than paying the penalty amount, Alaska DHSS is also required to take corrective action including reviewing, revising, and maintaining policies and procedures to ensure compliance with HIPAA norms.

Alaska DHSS however does not admit liability or wrongdoing in this case, and contends that contrary to what has been portrayed by OCR, a risk assessment was actually conducted, although it is several years old. Bill Steur the Commissioner of Alaska DHSS says that OCR’s definition of ‘current’ is not very clear. However in the light of OCR’s concerns a new risk analysis is now underway.
The Big Lesson

This incident is yet another wake-up call for all those entities that have not been giving top priority to conducting periodic risk assessments, or documenting evidence for the same. If an organization has been conducting risk assessments regularly, but does not have the necessary documented evidence, it would still be considered a major HIPAA violation. The monetary settlement in this case is significantly higher than in most other cases because this case has been considered by OCR as ‘willful neglect’.

Training employees, conducting risk analysis, and documenting evidence for compliance may all be demanding tasks. But it is important to remember that the smallest negligence or failure in this regard can threaten the very survival of a business, which is why adopting a solution like SecureGRC is all the more essential. With its comprehensive security capabilities SecureGRC can make HIPAA compliance unimaginably simple.

The post A Big Lesson to Learn from the Alaska DHSS Breach appeared first on Aegify.