Part B Insider (Multispecialty) Coding Alert

Published on Thu Jun 28, 2012 PDF

Plus: CMS offers NPI search tip.

If your employee's car gets robbed, you typically don't expect the crime to cost you millions--but that's exactly what happened last week when the Alaska Department of Health and Social Services (DHSS) agreed to pay $1.7 million to settle potential HIPAA violations.

Background: A USB hard drive that potentially contained electronic protected health information (ePHI) was stolen from the car of a DHSS employee, after which the Office for Civil Rights found that DHSS "did not have adequate policies and procedures in place to safeguard ePHI," a Department of Health and Human Services news release said. Further investigation revealed that DHSS had not performed a risk analysis or implemented risk management controls, nor had it addressed device encryption.

The DHSS paid the settlement fee and also agreed to a corrective action plan to comply with the HIPAA Security Rule. "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," said OCR Director Leon Rodriguez in a June 26 statement. "This is OCR's first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."

To read the complete news release, visit www.hhs.gov/news/press/2012pres/06/20120626a.html.