The Alaska Department of Health and Social Services (DHSS), the State Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. This is OCR’s first HIPAA enforcement action of a State agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHHS to review, revise, and maintain policies and procedures to ensure compliance with HIPAA Security Rule. A monitor will report back to OCR regularly on the State’s ongoing compliance efforts.
The HHS Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/
Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.
Latest posts by EHR 2.0 (see all)
- Trump Administrations’ Effect on Healthcare Organizations - January 23, 2017
- HIPAA Fine for Lack of Timely Breach Notification - January 11, 2017
- HIPAA Compliance 2016 Year in Review - January 9, 2017