Alaska’s Medicaid program has agreed to pay OCR $1.7 million over potential HIPAA Security Rule violations, OCR announced in a June 26 press release.
The settlement marks the second largest to date for HIPAA violations, behind CVS Caremark’s $2.25 agreement in 2009. It also marks OCR’s first enforcement action against a state agency.
OCR reported that Alaska’s Department of Health and Social Services (DHSS), the state Medicaid agency, did not have adequate policies and procedures in place to safeguard PHI when a USB hard drive was stolen from an employee’s vehicle.
OCR also found in its investigation that Alaska had not:
- Completed a risk analysis
- Implemented sufficient risk management measures
- Completed security training for its workforce members
- Implemented device and media controls
- Addressed device and media encryption as required by the HIPAA Security Rule
Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
In the corrective action plan, Alaska DHSS must review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR Director Leon Rodriguez said in a statement. “This is OCR’s first HIPAA enforcement action against a state agency, and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
LARGEST SETTLEMENTS TO DATE
The OCR’s largest settlements for HIPAA violations include:
- CVS Caremark Co.: $2.25 million, February 2009
- Alaska Medicaid: $1.7 million, June 26, 2012
- Blue Cross Blue Shield of Tennessee: $1.5 million, March, 2012
- Rite Aid: $1 million, July 2010
- Massachusetts General Hospital: $1 million, February 2011
- University of California at Los Angeles Health System: $865,500, July 2011
Note that in February of 2011, OCR fined Cignet Health a $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.