Advertisement

May 21, 2013

Alaska Medicaid Settles HIPAA Security Case for $1.7 Million

von Briesen & Roper, S.C.
Meghan C. O'Connor
von Briesen & Roper, S.C.
Monday, July 2, 2012
Administrative & Regulatory / Civil Rights / Consumer Protection / Health Law & Managed Care / Litigation / Trial Practice
All Federal / Alaska
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced earlier this week that it reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) in order to settle possible violations of the HIPAA Security Rule.  The enforcement action is OCR’s first HIPAA enforcement action against a state agency. It demonstrates OCR’s commitment to enforcing HIPAA obligations with both private and public entities.

The settlement is a result of an investigation conducted by OCR following the submission of a HIPAA breach report by Alaska DHSS as required by the breach notification provisions of HITECH. The report submitted by Alaska DHSS noted that a portable electronic storage device (a USB hard drive) that contained electronic protected health information (ePHI) was stolen from a vehicle of a DHSS employee. The USB drive contained ePHI of more than 500 Alaska Medicaid beneficiaries.

OCR’s investigation indicated that Alaska DHSS did not have adequate policies and procedures in place to safeguard ePHI. OCR’s investigation also found evidence indicating that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and medical encryption as required by the Security Rule.

As a result of the violations, Alaska DHSS entered into a settlement agreement under which it agreed to pay $1.7 million and implement a corrective action plan to properly safeguard ePHI of its Medicaid beneficiaries. The terms of the corrective action plan require DHSS to:

  • Develop, maintain, and revise as necessary written policies and procedures related to completion of a risk analysis, implementation of sufficient risk management measures, completion of security training for the DHSS workforce, implementation of device and medial controls, and device and media encryption. The policies must include the minimum content outlined in the corrective action plan and must be developed within 90 days of the effective date of the resolution agreement. In addition, DHSS must develop a procedure for investigating and sanctioning workforce members for violations.
  • Distribute policies and procedures to all DHSS workforce members with access to ePHI within 90 days of OCR’s approval.
  • Conduct general Security Rule training and specific training for all new policies and procedures for all DHSS workforce members with access to ePHI.
  • Conduct an accurate and thorough risk assessment and implement security measures to reduce risk and vulnerabilities.
  • Designate an independent individual or entity to monitor and review DHSS’s compliance with the corrective action plan.

The resolution agreement and corrective action plan between DHSS and OCR are available here.

©2013 von Briesen & Roper, s.c

About the Author

Meghan C. O'Connor

Meghan O’Connor is a member of the Health Care Practice Group. Her practice focuses on general health law including managed care and provider contracting, risk management, and regulatory compliance.

Prior to joining von Briesen, Meghan worked for the Centers for Medicare and Medicaid Services where she consulted with states regarding federal health law, regulation and policy, evaluating managed care contracts and conducting compliance reviews.

moconnor@vonbriesen.com
414-287-1586
www.vonbriesen.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.