Health Law Alert: Medicaid Pays $1,700,000 to Settle HIPAA Security Violations


In its first enforcement action against a state agency, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled last month with Alaska’s Department of Health and Social Services (DHSS) for HIPAA security violations it reported as required by HITECH. DHSS entered into a settlement agreement and agreed to pay $1,700,000 after a USB hard drive (an electronic storage device) potentially containing electronic protected health information (ePHI) was stolen from the vehicle of a DHSS computer technician in October 2009.

The HITECH Breach Notification Rule requires covered entities to report a breach, an impermissible use or disclosure of ePHI, of 500 individuals or more to the Secretary of HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the Secretary of HHS annually. OCR investigates each breach of 500 individuals or more reported under HITECH. In this case, OCR reviewed DHSS’s written response, policies, procedures, information regarding training activities and documentation related to compliance with the Privacy and Security Rules, and conducted on-site interviews of the DHSS workforce. At the conclusion of its investigation, OCR found that DHSS did not...

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:


Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.