Last week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule. The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative safeguards to ensure that electronic protected health information (“ePHI”) remains private and secure.
OCR began its investigation when Alaska DHHS self-reported a breach to OCR under HITECH’s breach reporting rules. The breach occurred when a USB hard drive potentially containing ePHI was stolen from the vehicle of an Alaska DHHS employee.
In addition to the breach, OCR’s investigation revealed that Alaska DHHS did not have adequate policies and procedures in place to safeguard ePHI. OCR also found that Alaska DHHS had not completed a risk assessment, implemented sufficient risk management measures, completed employee security training, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
Alaska DHHS also entered into a corrective action plan that requires Alaska DHHS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.
Finally, OCR appointed a monitor who will regularly report to OCR on the Alaska DHHS’s ongoing compliance efforts. The HHS/Alaska DHHS Resolution Agreement can be found on the OCR website.
Importantly, this is OCR’s first enforcement action against a State entity and demonstrates that OCR will not hesitate to bring an enforcement action against public entities who fail to take their HIPAA obligations and responsibilities seriously. OCR Director Leon Rodriguez, stated that “we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”