Alaska Medicaid Settles HIPAA Security Violations for $1.7 Million

Native News Network Staff in Native Health. Discussion »

WASHINGTON – The Alaska Department of Health and Social Services, the state Medicaid agency, has agreed to pay the US Department of Health and Human Services $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996, HIPAA, Security Rule.

Alaska Department of Health and Social Services has also agreed to take corrective action to properly safeguard the electronic protected health information of their Medicaid beneficiaries.

The Health and Human Services Office for Civil Rights began its investigation following a breach report submitted by Alaska as required by the Health Information Technology for Economic and Clinical Health Act. The report indicated that a portable electronic storage device, USB hard drive, possibly containing electronic protected health information was stolen from the vehicle of an Alaska Department of Health and Social Services employee. Over the course of the investigation, Office for Civil Rights found evidence that the Alaska Department of Health and Social Services did not have adequate policies and procedures in place to safeguard electronic protected health information.

Further, the evidence indicated that the Alaska Department of Health and Social Services had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires the Alaska Department of Health and Social Services to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to Office for Civil Rights regularly on the state's ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,”

said Office for Civil Rights Director Leon Rodriguez.

“This is Office for Civil Rights's first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

Individuals who believe that a covered entity has violated their (or someone else's) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with the Office for Civil Rights at: www.hhs.gov