The Alaska Department of Health and Social Services (DHSS), the State Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible violations of the HIPAA Security Rule.

Alaska DHSS also agreed to take corrective action to properly safeguard electronic protected health information (ePHI) of Medicaid beneficiaries. The HHS' Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the HITECH Act.

The report indicated a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. The OCR found evidence the DHSS did not have adequate policies and procedures in place to safeguard ePHI.

Furthermore, the evidence indicated the DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device, and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

The agreement includes a corrective action plan that requires the DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on ongoing compliance efforts.

Posted June 27 at: http://www.healthimaging.com/index.php?option=com_articles&view=article&id=344

49:alaska-medicaid-settles-hipaa-security-case-for-17m