By Kendra Casey Plank
Alaska's Medicaid agency will pay the federal government $1.7 million to
settle allegations it violated the Health Insurance Portability and
Accountability Act Security Rule.
The settlement marks the first time the Department of Health and Human
Services Office for Civil Rights has brought HIPAA enforcement action against a
state, OCR Director Leon Rodriguez said in June 26 news release announcing the
OCR had alleged the state agency did not comply with Security Rule
risk management measures;
workforce security training;
device and media controls; and
device and media encryption.
OCR began investigating data privacy and security practices by the Alaska
Department of Health and Human Services (DHHS) after the state agency in October
2009 reported a data breach, as required under the Health Information Technology
for Economic and Clinical Health (HITECH) Act. The breach occurred when a USB
hard drive on which electronic protected health information (ePHI) was stored
was stolen from a DHHS employee's car, according to the release.
In January 2010, OCR began investigating the breach and determined the state
had violated the HIPAA Security Rule, according to the resolution agreement
between OCR and DHHS. As part of the investigation, DHHS provided OCR with
documentation on its data privacy and security policies and procedures,
including how it was complying with the HIPAA Privacy and Security Rules. In
addition, OCR interviewed agency employees in July 2010.
The resolution agreement is not an admission of liability by DHHS, nor is it
a concession by OCR that the state agency did not violate the HIPAA rules.
“Covered entities must perform a full and comprehensive risk assessment and
have in place meaningful access controls to safeguard hardware and portable
devices,” Rodriguez said in the release. “This is OCR's first HIPAA action
against a state agency and we expect organizations to comply with their
obligations under these rules regardless of whether they are private or public
The resolution agreement is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.pdf.