The Alaska Department of Health and Social Services (DHSS), the state
Medicaid agency, has agreed to pay the U.S. Department of Health and
Human Services’ (HHS) $1,700,000 to settle possible violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Security Rule. Alaska DHSS has also agreed to take corrective action to
properly safeguard the electronic protected health information (ePHI) of
their Medicaid beneficiaries.
The HHS Office for Civil Rights (OCR) began its investigation following
a breach report submitted by Alaska DHSS as required by the Health
Information Technology for Economic and Clinical Health (HITECH) Act.
The report indicated that a portable electronic storage device (USB hard
drive) possibly containing ePHI was stolen from the vehicle of a DHSS
employee. Over the course of the investigation, OCR found evidence that
DHSS did not have adequate policies and procedures in place to safeguard
ePHI. Further, the evidence indicated that DHSS had not completed a risk
analysis, implemented sufficient risk management measures, completed
security training for its workforce members, implemented device and
media controls, or addressed device and media encryption as required by
the HIPAA Security Rule.
In addition to the $1,700,000 settlement, the agreement includes a
corrective action plan that requires Alaska DHSS to review, revise, and
maintain policies and procedures to ensure compliance with the HIPAA
Security Rule. A monitor will report back to OCR regularly on the
state’s ongoing compliance efforts.
“Covered entities must perform a full and comprehensive risk assessment
and have in place meaningful access controls to safeguard hardware and
portable devices,” said OCR Director Leon Rodriguez. “This is OCR’s
first HIPAA enforcement action against a state agency and we expect
organizations to comply with their obligations under these rules
regardless of whether they are private or public entities.”
OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule
gives individuals rights over their protected health information and
sets rules and limits on who can look at and receive that health
information. The Security Rule protects health information in electronic
form by requiring entities covered by HIPAA to use physical, technical,
and administrative safeguards to ensure that electronic protected health
information remains private and secure.
The HITECH Breach Notification Rule requires covered entities to report
an impermissible use or disclosure of protected health information, or a
“breach,” of 500 individuals or more to the HHS Secretary Sebelius and
the media. Smaller breaches affecting less than 500 individuals must be
reported to the secretary on an annual basis.
Individuals who believe that a covered entity has violated their (or
someone else’s) health information privacy rights or committed another
violation of the HIPAA Privacy or Security Rule may file a complaint
with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
Additional information about OCR’s enforcement activities can be found
at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
Follow HHS on Twitter @HHSgov
and sign up for HHS
Email Updates
