Once again, the HHS’ Office for Civil Rights has wielded its authority with regard to HIPAA privacy and security compliance.  This time, a state government agency (Alaska Department of Health and Social Services) was assessed a $1.7M dollar penalty due to a breach of protected information.  In particular, it was found that the Alaska agency had inadequate policies and procedures, inadequate safeguards, and inadequate training in place to ensure the protection of individually identifiable information. 

As mentioned in last month’s Benefit Beat article, HIPAA Privacy and Security Audit Protocols, the government is serious about HIPAA compliance, and anyone with privacy and security responsibilities should make certain to review the audit protocol tool.

As background, the HIPAA law enacted in the mid-1990s included Administrative Simplification rules that impose both privacy and security standards on covered entities.  Covered entities include health plans, health care clearinghouses and health care providers, and through the HITECH law which amended the original HIPAA law, business associates.

The information contained in this Benefit Beat is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations.

As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained in this Benefit Beat is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.