The U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced earlier this week that it reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) in order to settle possible violations of the HIPAA Security Rule. The enforcement action is OCR’s first HIPAA enforcement action against a state agency. It demonstrates OCR’s commitment to enforcing HIPAA obligations with both private and public entities.
The settlement is a result of an investigation conducted by OCR following the submission of a HIPAA breach report by Alaska DHSS as required by the breach notification provisions of HITECH. The report submitted by Alaska DHSS noted that a portable electronic storage device (a USB hard drive) that contained electronic protected health information (ePHI) was stolen from a vehicle of a DHSS employee. The USB drive contained ePHI of more than 500 Alaska Medicaid beneficiaries.
OCR’s investigation indicated that Alaska DHSS did not have adequate policies and procedures in place to safeguard ePHI. OCR’s investigation also found evidence indicating that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and medical encryption as required by the Security Rule.
As a result of the violations, Alaska DHSS entered into a settlement agreement under which it agreed to pay $1.7 million and implement a corrective action plan to properly safeguard ePHI of its Medicaid beneficiaries. The terms of the corrective action plan require DHSS to:
- Develop, maintain, and revise as necessary written policies and procedures related to completion of a risk analysis, implementation of sufficient risk management measures, completion of security training for the DHSS workforce, implementation of device and medial controls, and device and media encryption. The policies must include the minimum content outlined in the corrective action plan and must be developed within 90 days of the effective date of the resolution agreement. In addition, DHSS must develop a procedure for investigating and sanctioning workforce members for violations.
- Distribute policies and procedures to all DHSS workforce members with access to ePHI within 90 days of OCR’s approval.
- Conduct general Security Rule training and specific training for all new policies and procedures for all DHSS workforce members with access to ePHI.
- Conduct an accurate and thorough risk assessment and implement security measures to reduce risk and vulnerabilities.
- Designate an independent individual or entity to monitor and review DHSS’s compliance with the corrective action plan.
The resolution agreement and corrective action plan between DHSS and OCR are available here.