In 2009, the Alaska Department of Health and Social Services (DHSS) informed the US Department of Health and Human Services that an unecrypted USB drive that may have contained electronic protected health information (ePHI) of Medicaid recipients was stolen from the vehicle of a DHSS employee.
As a result of an investigation into the breach, the HHS Office of Civil Rights (OCR) determined that the Alaska agency did not have adequate policies and procedures in place to safeguard ePHI. The OCR also uncovered that the agency had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the Health Insurance Portability and Accountability Act (HIPAA) security rule.
To settle possible HIPAA violations, DHSS agreed to pay a hefty $1.7 million fine, as well as implement a corrective action plan that requires it to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA security rule. OCR has appointed a monitor to check up on the state’s efforts in this area.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR director Leon Rodriguez. “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”