On June 26, 2012, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1.7 million settlement with the Alaska Department of Health and Social Services (“DHSS”) for violations of the HIPAA Security Rule. This is the first HIPAA enforcement action taken by HHS against a state agency. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that OCR “expect[s] organizations to comply with their obligations under [the HIPAA Security and Privacy Rules] regardless of whether they are private or public entities.”
The settlement relates to the theft of a portable electronic storage device potentially containing electronic protected health information (“ePHI”) from the car of a DHSS computer technician in October 2009. Following the submission of a breach report to OCR as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, OCR began an investigation. As stated in the resolution agreement, OCR determined that DHSS had not complied with the requirements of the Security Rule, including by failing to (1) complete a risk analysis, (2) implement sufficient risk management measures, (3) complete security training for DHSS workforce members, (4) implement device and media controls and (5) address device and media encryption.
Pursuant to the resolution agreement, DHSS has agreed to pay $1.7 million to HHS to settle the potential violations. In addition, the Corrective Action Plan attached to the resolution agreement requires DHSS to develop a comprehensive set of HIPAA policies and procedures and to submit them to OCR for review and approval. After OCR has approved the policies and procedures, DHSS is required to distribute them within 90 days to its workforce members who have access to ePHI and require such members to acknowledge that they “have read, understand and will abide by such policies and procedures.” The Corrective Action Plan provides that the policies and procedures must include procedures for: (1) tracking devices containing ePHI; (2) safeguarding devices containing ePHI; (3) encrypting devices that contain ePHI; (4) disposing and/or re-using devices that contain ePHI; (5) responding to security incidents; and (6) applying sanctions to workforce members who violate these policies and procedures. In addition, DHSS is required to train its workforce on the new policies and procedures, conduct a risk analysis and designate a monitor who will report to OCR on DHHS’ compliance with the Corrective Action Plan.