Alaska fined for HIPAA violation

Michael P. Tremoglie Jul. 3, 2012, 7:25am

WASHINGTON (Legal Newsline) -- The Alaska Department of Health and Social Services has been fined $1.7 milion by the federal government to settle alleged violations of the 1996 Health Insurance Portability and Accountability Act Security Rule.

Some say this is a harbinger of things to come with Obamacare because of the extra layer of bureaucracy it will require.

The HHS Office for Civil Rights received a breach report from by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health Act. The report indicated that a portable electronic storage device possibly containing electronic protected health information was stolen from the vehicle of a DHSS employee.

The investigation by OCR found that evidence that DHSS failed to have policies and procedures in place to safeguard ePHI. Further, the evidence indicated there was no completed a risk analysis, insufficient risk management measures, incomplete security training for its workforce members, nor any other safeguards required by the HIPAA Security Rule.

The agreement requires DHSS to take a corrective action plan in addition to the $1.7 million settlement. A monitor will report back to OCR regularly on the state's ongoing compliance efforts.

"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," said OCR Director Leon Rodriguez. "This is OCR's first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."

According to the announcement, OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

More News