Today, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that the Alaska Department of Health and Social Services (Alaska DHSS), which is that state’s Medicaid agency, has agreed to pay $1.7 million to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. Alaska DHSS has also agreed to institute a corrective action plan (“CAP”) to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
OCR’s investigation began in October 2009, after Alaska DHSS filed a breach report, as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Alaska DHSS reported that on or about October 12, 2009, a portable electronic storage device potentially containing ePHI was stolen from the vehicle of a DHSS computer technician.
As a result of the investigation, OCR determined that Alaska DHSS had not 1) completed a risk analysis (See 45 C.F.R. § 164.308(a)(1)(ii)(A)); 2) implemented sufficient risk management measures (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); 3) completed security training for DHSS workforce members (See 45 C.F.R. § 164.308(a)(1)(ii)(A)(5)(i)); 4) implemented device and media controls (See 45 C.F.R. § 164.310 (d)(1)); and 5) addressed device and media encryption (See 45 C.F.R. § 164.312(a)(2)(iv).
In addition to the $1.7 million payment, Alaska DHSS’ corrective action plan requires the agency to, among other things, conduct a risk assessment, devise written procedures and policies to safeguard and protect devices containing ePHI, implement workforce training, and file annual reports regarding the agency’s compliance with the CAP.