Following an extensive investigation by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Alaska Department of Health and Social Services (DHSS), Alaska’s state Medicaid agency, agreed to pay $1.7 million in fines and to comply with a corrective action plan (CAP) to address gaps in its compliance with the HIPAA Privacy and Security Rules.
OCR began its investigation of DHSS in October 2009 when DHHS submitted a Breach Report, one of the first reports submitted under the HHS Breach Notification Rule. The report notified OCR of the theft of a portable electronic storage device (USB hard drive), possibly containing electronic protected health information (e-PHI), from the vehicle of a DHHS computer technician.
As part of the investigation, OCR reviewed DHSS’ written privacy and security policies and procedures and conducted on-site interviews with DHSS workers. OCR found that DHHS: (1) had inadequate policies and procedures to safeguard e-PHI; (2) failed to conduct a risk analysis; and (3) did not implement sufficient risk management measures as required by the HIPAA Security Rule. In addition, DHHS did not provide adequate security training for its workforce, failed to implement device and media controls, and failed to address device and media encryption, in violation of various HIPAA Security Rule provisions.
In addition to paying a substantial fine, DHHS agreed to take corrective action to better safeguard the privacy and security of its patients’ protected health information. The CAP requires Alaska Medicaid to develop, distribute, and implement written policies and procedures to comply with HIPAA. Such policies and procedures will include procedures for tracking, safeguarding, encrypting, and disposal of devices containing e-PHI, as well as for responding to security events and sanctioning workers who violate these policies. DHHS also must train all members of its workforce who have access to e-PHI, conduct a risk analysis (by assessing the potential risks to e-PHI held by DHHS), and implement risk management measures to reduce identified risks. Finally, DHHS will be monitored for compliance with the CAP and must submit annual reports for a three-year period. The Resolution Agreement can be read here.
This HIPAA enforcement action by OCR is significant because it is the first action taken against a state agency. In OCR’s June 26 news release, OCR Director Leon Rodriguez stated
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices . . . we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
Read the OCR News Release here.