Healthcare News & Insights

State Medicaid agency settles HIPAA case for big bucks

Want to save your hospital a ton of money? Make sure your facility has the best possible policies and procedures in place to safeguard electronic protected health information (ePHI). Alaska’s Medicaid agency is wishing it had.

Unfortunately, the Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, didn’t and now it’s paying $1,700,000 to settle possible HIPAA Security violations.

Here’s what happened:

Alaska DHSS submitted a breach report, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

According to the U.S. Department of Health and Human Services (HHS), the report indicated a USB hard drive, possibly containing ePHI, was stolen from an Alaska DHSS employee’s vehicle. During its investigation, the HHS Office for Civil Rights (OCR) found Alaska DHSS didn’t have adequate policies and procedures in place to safeguard ePHI.

In addition, OCR found the agency hadn’t:

  • completed a risk analysis
  • implemented sufficient risk management measures
  • completed security training for its workforce members
  • implemented device and media control, or
  • addressed device and media encryption as required by the HIPAA Security Rule.

Not only did the Alaska DHSS agreement include the big-bucks settlement, it also has a corrective action plan in it that requires the agency to review, revise and maintain policies and procedures to ensure compliance with the HIPAA Security Rule and properly protect the ePHI of its Medicaid beneficiaries. A monitor must report back to OCR on a regular basis on the state’s ongoing compliance efforts.

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said  Leon Rodriguez, the director of OCR.  “This is OCR’s first HIPAA enforcement action against a state agency, and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.