This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a recent posting, the HHS List includes guidance that covered entities (“CEs”) and business associates (“BAs”) can use in the event of a PHI security breach in the form of brief summaries (“Summaries”) of the breach cases that the federal Office of Civil Rights (“OCR”) has investigated and closed.
On June 26, 2012, HHS and OCR reported in a press release (the “Press Release”) that Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), had agreed to pay HHS $1.7 million with respect to a resolution of possible violations of HIPAA, which included the compromising of PHI of 501 affected individuals by means of a theft that occurred on October 12, 2009 of an “Other Portable Electronic Device” (the “2009 Breach”). Alaska Medicaid has also agreed, among other things, to take corrective action to properly safeguard the PHI of Medicaid beneficiaries. An official statement by Alaska Medicaid Commissioner Bill Streur relating to the resolution with HHS of the 2009 Breach is posted on the Alaska Medicaid Web site.
While the Alaska Medicaid resolution has not yet been reported in a Summary on the HHS List, visiting the HHS List reveals that the 2009 Breach was originally posted by HHS in the very first batch of List Breaches on February 22, 2010. What is also interesting is that Alaska Medicaid had a later separate List Breach, reportedly involving the compromising of PHI of approximately 2,000 affected individuals by means of a theft on September 7, 2010 of an “Other Portable Electronic Device” (the “2010 Breach”). The 2010 Breach was reported as involving Alaskan AIDS Assistance Association as a BA.
However, it is difficult to identify readily that the 2009 Breach and the 2010 Breach involved the same CE, Alaska Medicaid. The 2009 Breach is alphabetically indexed under “Alaska Department of Health and Social Services,” while the 2010 Breach is indexed under “State of Alaska, Department of Health and Social Services.” It would be helpful for HHS to endeavor to use CE and BA names consistently to assist in analysis by those visiting the HHS List.
The Press Release of HHS regarding the 2009 Breach quotes OCR Director Leon Rodriguez: “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
It commendable that OCR enforces compliance with HIPAA against private and public entities with the same vigor. Query, however, to what extent is it wise for HHS to exact a $1.7 million payment from Alaska Medicaid? Alaska Medicaid oversees a program to provide medical care to the indigent in Alaska, a program that is funded by the taxpayers of Alaska and the U.S. In almost all states, Medicaid programs are financially embattled and under severe economic and political stress. The large payment by Alaska Medicaid to HHS is an enforced shifting by a state agency of “other people’s money” to HHS that may have to be replaced by increased taxes or reductions in future benefits for Alaskan indigents.
This blog series will continue to review various of the OCR Summaries and resolutions to give guidance to CEs and BAs. We will also monitor future developments with respect to the 2010 Breach.