$1.7M Settlement with OCR for HIPAA Security Rule Violations: Alaska DHSS

by | Jun 28, 2012

The theft of a portable hard drive from a staff member of the Alaska Department of Health and Social Services (DHSS) possibly exposed the ePHI of almost 2,000 people. Following a review by the HHS Office for Civil Rights (OCR), a settlement has been agreed and the DHHS must pay the HHS $1.7 million for the HIPAA Security Rule breaches.

The U.S. Department of Health and Human Services’ Office for Civil Rights was advised of the breach when the Alaska DHSS reported the hard drive theft. All healthcare organizations must file a report of data security breaches affecting more than 500 people to the HHS Secretary Sebelius under Health Information Technology for Economic and Clinical Health (HITECH) regulations (Smaller breaches need only to be reported on per year).

A media announcement must also be made to warn potential victims and Breach Notification Rules require all people to be contacted and advised of the security breach to allow them to take action to protect their identities and money.

The investigation found a number of non-compliance issues and inadequate policies and processes to protect the electronic health information of its Medicare beneficiaries. The security holes identified by the OCR should have been listed in a risk analysis, and the lack of safeguards and vulnerabilities made it clear that this vital procedure had not been conducted.

The OCR discovered weaknesses in the risk management policies, portable devices containing ePHI were not secured and device and media controls had not been implemented. Its security staff had also not had the necessary training on data security and was therefore not fully aware of its requirements under the HIPAA Security Rule.

The HIPAA Security rule requires all covered bodies to put in place robust security measures and incorporate the administrative, technical and physical safeguards to protect patient and employee health data. Organizations must also adhere with the HIPAA Privacy rule which was introduced to make it easier for patients to access their data and also safeguard it and restrict access.

The settlement is the second biggest to date and reflects the number of violations found by the OCR and it is the first time a financial penalty has been applied to a state agency. This HIPAA penalty sends a warning to all bodies covered by HIPAA regulations, both private and public, that violating rules will incur financial penalties and the OCR is rigorously policing compliance.

OCR Director, Leon Rodriguez,  said that data breaches involving portable storage devices can easily be avoided. “Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices.”

Alaska Department of Health and Social Services must also implement an action plan to bring its policies and procedures up to date with current legislation and those policies and procedure must be regularly reviewed and updated. In order to track progress, a report on ongoing compliance efforts must also be regularly filed to the OCR.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy