On June 26, OCR announced a resolution agreement and corrective action plan with Alaska's Medicaid agency, the Alaska Department of Health and Social Services ("DHSS"). The precipitating event was the theft of a portable external hard drive from the vehicle of a DHSS employee. According to the breach data that DHSS submitted to OCR, the incident involved the records of 501 individuals, a relatively small amount compared to other breaches on OCR's breach report website. Upon investigation, however, OCR allegedly found that DHSS had not completed a risk analysis in accordance with the Security Rule, had not implemented sufficient risk management measures, had not completed security training of its workforce, had not implemented device and media controls, and had not addressed device and media encryption. The resolution agreement involves the payment of $1.7 million and the corrective action plan lasts for three years and focuses on security surrounding devices containing electronic protected health information (e.g., procedures for tracking, safeguarding, encrypting, and appropriately disposing of or re-using such devices), responding to security incidents, applying sanctions to workforce members that violate the corrective action plan's policies, training, and conducting risk analysis and risk management. DHSS also must obtain the services of an independent monitor, which may significantly add to the cost of the resolution.
OCR SETTLES WITH ALASKA MEDICAID FOR $1.7 MILLION