Possible HIPAA violations by the Alaska Department of Health and Social Services have led to a $1.7 million settlement and a corrective action plan. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) began investigating the September 2009 incident, involving the theft of a portable USB storage device from an Alaska DHSS employee’s vehicle, the following January after the agency submitted a breach report as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The breach report by the DHSS indicated that the device may have contained Personal Health Information (PHI) from approximately 2,000 patients. The OCR’s investigation eventually determined that the DHSS had not addressed device and media encryption and controls, completed a risk analysis or security training, or implemented sufficient risk-management measures. In addition to the monetary settlement, the second largest so far in a HIPAA violation case and the first involving a state agency, the agreement requires the Alaska DHSS to review, revise, and maintain policies and procedures to ensure that it complies with the HIPAA Security Rule in the future, and a monitor will report regularly to the OCR on the agency’s compliance efforts.
The OCR has made it clear that public entities as well as private ones are expected to comply with their obligations under the HIPAA rules. Anyone utilizing Electronic Health Records (EHR) or medical billing systems such as Allscripts MyWay or McKesson Practice Choice needs to adhere strictly to HIPAA rules and safeguard PHI. Microwize Technology can offer guidance.
