Alaska Medicaid Program Fined $1.7M By HHS

The Alaska Department of Health and Social Services (DHSS), Alaska’s Medicaid program, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7M to settle alleged violations of the HIPAA security rule.  The settlement also includes a corrective action plan to ensure compliance with the HIPAA security rule.

The original 2009 breach report submitted by the Alaska DHSS to the Office of Civil Rights (OCR) indicated that a USB hard drive containing electronic protected health information was stolen from a DHSS employee’s car.  The OCR investigation found that the DHSS did not have adequate policies and procedures to safeguard protected health information of their Medicaid beneficiaries.  The OCR also found that DHSS failed to implement adequate risk management measures, conduct employee security training, implement device and media controls, and address media encryption.

The Alaska DHSS Commissioner William J (Bill) Streur released a prepared statement in which he said that “Agreeing to complete our HIPAA compliance measures and paying a settlement amount is the only way for both parties to avoid costly and protracted litigation- a process with no guaranteed result and that could end up being more expensive for the state”

This is the first settlement agreement of its kind against a state Medicaid agency.  It appears that seven figure settlements are becoming more of a rule than an exception and that the OCR is not afraid to pursue state agencies.