Thursday, August 30, 2012

Public Health Departments are subject HIPAA rules

According to the US Dept of Health and Human Services, if a State, county, or local health department performs functions that make it a covered entity, or otherwise meets the definition of a covered entity they must comply with the HIPAA Privacy Rule. Some health departments operate health care clinics and thus are health care providers. If these health care providers transmit health information electronically in connection with a transaction covered in the HIPAA Transactions Rule, they are covered entities.

Some of the most sensitive PHI data is housed at local health departments. With that said, having strict guidelines, security measures, etc is paramount to serving public health.


A few months ago, Alaska Department of Health and Human Services (DHHS) agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.


OCR’s investigation followed a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The report indicated that a portable electronic storage device (USB hard drive) possibly was stolen from the vehicle of a DHHS computer technician potentially containing electronic protected health information (e-PHI)  on or about October 12, 2009

Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI.  Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Here is the complete ruling. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.pdf


No comments:

Post a Comment