Alaska's Department of Health and Social Services (DHSS) recently agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible HIPAA violations related to the 2009 theft of a USB hard drive containing 501 people's electronic personal health information (ePHI) from a DHSS employee's vehicle.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

"Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), said in a statement. "This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."