HIPAA Horror Stories

The Alaska Atrocity

one-minute read

Alaska Fails Patient Privacy

This one goes back a few years, but it’s important to remember the patient privacy fundamentals of the Health Insurance Portability and Accountability Act (HIPAA)… and in this case, those fundamentals were COMPLETELY ignored to the tune of a $1.7 million settlement.

You’d expect two governmental health agencies – one state and one federal – to be on the same page when it comes to the protecting patient privacy. But, in this case, you’d be wrong.

In 2012, the state of Alaska’s Department of Health and Social Services (DHSS) reported to the federal department of Health and Human Services (HHS) that a portable electronic storage device (USB hard drive) possibly containing Electronic Protected Health Information (ePHI) was stolen from the vehicle of a DHSS employee.

Multiple Patient Privacy Violations

During its investigation, the Office for Civil Rights (OCR), the federal agency responsible for conducting HIPAA investigations, found that DHSS did not have adequate policies and procedures in place to safeguard ePHI.

Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The First HIPAA Action Against a State Agency

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said then-OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

In addition to the $1,700,000 settlement, the agreement included a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts.

If you work with a state agency, don’t think you’re immune from HIPAA rules. If you need help with your risk analysis, give us a call.

Photo by McKayla Crump on Unsplash

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free