By Anna Kraus and Rachel Grunberger
The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule. This is HHS’s first HIPAA enforcement action against a State agency, and HHS stated in the press release that it “expect[s] organizations to comply with their obligations under [the HIPAA rules] regardless of whether they are private or public entities.”
HHS’s Office for Civil Rights (OCR) began investigating Alaska Medicaid after receiving a breach report from the agency in October 2009. The report indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a computer technician employed by the State. HHS subsequently determined through its investigation that Alaska Medicaid had not complied with HIPAA Security Rule requirements to:
- complete a risk analysis;
- implement sufficient risk management measures;
- complete security training for its workforce members;
- implement device and media controls; and
- address device and media encryption.
To settle these potential violations, Alaska Medicaid entered into a resolution agreement with HHS under which it agreed to pay $1.7 million. The agency also agreed to comply with a corrective action plan that requires it to, among other things:
- develop and implement specific policies and procedures that address the issues identified in the investigation;
- train all members of its workforce who have access to e-PHI on the HIPAA Security rule and the new policies and procedures;
- conduct a risk assessment and provide a description of proposed risk management measures to HHS; and
- appoint a monitor to report to OCR regularly on the State’s compliance efforts.
A copy of the resolution agreement is available here.
This enforcement action against Alaska Medicaid suggests that HHS will be taking a closer look at HIPAA compliance by State Medicaid agencies, particularly given the number of agencies that have reported data breaches in recent months.