The Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible violations of the HIPAA Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
The HHS' Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the HITECH Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Furthermore, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
In addition to the $1.7 million settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.
OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their PHI and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical and administrative safeguards to ensure that ePHI remains private and secure.
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of PHI, or a “breach,” of 500 individuals or more to HHS Secretary Kathleen Sebelius and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.