Maintaining HIPAA compliance use to not have much teeth behind it. Times have changed, however, as the Alaska Department of Health and Social Services (DHSS) is too well aware.
The Alaska DHSS will shell out $1.7 million to settle violations of the HIPAA Security Rule.
The Oct. 12, 2009 breach occurred when thieves stole a portable USB hard drive containing the personal information of 501 state Medicaid beneficiaries. So-called covered health care entities must report any breach of protected health information (PHI) affecting 500 or more people to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
In this case, the hefty settlement price tag was not based on the number of victims, but by the Alaska agency’s apparently shoddy information security practices it had in place.
Health care security regulators said that based on an investigation, which included an on-site visit, DHSS failed to conduct a risk analysis, deploy adequate risk management practices, complete security awareness training of its employees or implement measures to control and secure its devices.
This marked OCR’s first HIPAA enforcement action against a state agency.