By Jennifer Archie and Suan Ambler-Ebersole

Second Highest HIPAA Settlement Amount to Date and First Paid by a State

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced Tuesday that it had reached a settlement with Alaska’s state Medicaid agency, the Department of Health and Social Services (DHSS) for $1,700,000 arising out of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

In October 2009 a portable USB hard drive was stolen from a DHSS computer technician’s car. While Alaska never determined whether there was electronic Protected Health Information (ePHI) on the hard drive, it nevertheless was required to report the breach to OCR because the hard drive may have contained patient data from the office of children’s services and public health. An OCR investigation following the breach report found institutional problems surrounding the security of ePHI at DHSS that Susan McAndrew, Deputy Director for Health Information Privacy at HHS, called “fairly fundamental and fairly longstanding.” OCR found that DHSS had not completed a risk analysis, had not implemented sufficient risk management measures, had not completed security training for its workforce members, had not implemented device and media controls, nor had it addressed device and media encryption, all of which are required by the HIPAA Security Rule.

The $1.7 million settlement is the second highest settlement amount to date arising out of a potential HIPAA violation. The highest was a $2.25 million settlement paid by CVS pharmacy in 2009 for a potential breach involving the improper disposal of patient information on prescription bottles. McAndrew stated that the settlement amount “is reflective of the number of violations and the period of time over which they occurred.”

In addition to the $1.7 million payment, Alaska entered into a Corrective Action Plan (CAP) that requires DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule. A copy of the Resolution Agreement and CAP is available on the OCR website, here.

The settlement marks the first such agreement between OCR and a state. McAndrew stated that the HIPAA rules, “apply equally to both public and private entities and so we try to deal with both on an evenhanded basis.”

Covered entities should note that dollar fines imposed by OCR can be quite large even if the potential breach itself was relatively small and mundane, or, as in this case, potentially not a breach at all. As expressly provided in the rules, a report of breach commonly occasions an OHR review of a covered entity’s compliance with HIPAA, which may be broader than a review of the specific events or circumstances giving rise to the reported breach. OCR is ramping up its enforcement of the HIPAA Security Rule, from implementing corrective action in zero out of seven reported potential violations in 2005, to 70 out of 128 reported potential violations in 2010. It will not be surprising to see more settlements of this magnitude in 2012.