Alaska to Pay $1.7 Million in First HIPAA Enforcement Action Against a State Agency

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

By Kendra Casey Plank  

Alaska's Medicaid agency will pay the federal government $1.7 million to settle allegations it violated the Health Insurance Portability and Accountability Act Security Rule.

The settlement marks the first time the Department of Health and Human Services Office for Civil Rights has brought HIPAA enforcement action against a state, OCR Director Leon Rodriguez said in June 26 news release announcing the settlement.


 

“This is OCR's first HIPAA action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”  

 

--OCR Director Leon Rodriguez

OCR had alleged the state agency did not comply with Security Rule requirements for:

• conducting risk analyses;

• implementing risk management measures;

• completing workforce security training;

• implementing device and media controls; and

• addressing device and media encryption.

 

OCR began investigating data privacy and security practices by the Alaska Department of Health and Human Services (DHHS) after the state agency in October 2009 reported a data breach, as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The breach occurred when a USB hard drive on which electronic protected health information (ePHI) was stored was stolen from a DHHS employee's car, according to the release.

In January 2010, OCR began investigating the breach and determined the state had violated the HIPAA Security Rule, according to the resolution agreement between OCR and DHHS. As part of the investigation, DHHS provided OCR with documentation on its data privacy and security policies and procedures, including how it was complying with the HIPAA Privacy and Security Rules. In addition, OCR interviewed agency employees in July 2010.

The resolution agreement is not an admission of liability by DHHS, nor is it a concession by OCR that the state agency did not violate the HIPAA rules.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” Rodriguez said in the release. “This is OCR's first HIPAA action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

By Kendra Casey Plank  


The resolution agreement is at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.pdf.