Alaskaâ€™s Medicaid to Pay $1.7 million for HIPAA Violations
Although your practice is not as large as a state Medicaid agency, you can use this incident as good negative example because the same principles apply to a smaller practice.
Alaskaâ€™s Medicaid program has agreed to pay OCR $1.7 million over potential HIPAA Security Rule violations, OCR announced in a recent press release.
The settlement marks the second largest to date for HIPAA violations, behind CVS Caremarkâ€™s $2.25 agreement in 2009. It also marks OCRâ€™s first enforcement action against a state agency.
OCR reported that Alaskaâ€™s Department of Health and Social Services (DHSS), the state Medicaid agency, did not have adequate policies and procedures in place to safeguard PHI when a USB hard drive was stolen from an employeeâ€™s vehicle.
OCR also found in its investigation that Alaska had not:
* Completed a risk analysis
* Implemented sufficient risk management measures
* Completed security training for its workforce members
* Implemented device and media controls
* Addressed device and media encryption as required by the HIPAA Security Rule
Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
HCP offers training and policies to address all of the above issues. If you participate in HCPâ€™s compliance programs, you will not have to worry about a HIPAA audit or any non-compliance issues.