Lack of HIPAA Training and Risk Analysis cited in $1.7 Million HHS Settlement

Posted by BAS - 28 June, 2012


U.S. Department of Health and Human Services (HHS) announced a $1.7 million settlement with the Alaska Department of Health and Social Services (Alaska DHHS) for alleged violations of the HIPAA Security Rule. In addition to the $1.7 million settlement, Alaska DHHS has agreed to a three year Corrective Action Plan to address HIPAA Security Compliance.

Alaska DHHS reported that electronic Protected Health Information (e-PHI) may have been compromised because a portable electronic storage device (e.g., USB drive, thumb drive, etc.) containing protected health information was stolen from an employee’s vehicle. Under the Health Information Technology for Economic and Clinical Health HITECH) amendment to HIPAA, HHS Office of Civil Rights (OCR) is responsible for investigating reports of breach of electronic PHI. During its investigation, OCR noted that Alaska DHHS did not have adequate policies and procedures in place to protect and secure e-PHI. In particular, OCT found that Alaska DHHS had not met several of the HIPAA Security requirements, including employee training, risk analysis and risk management controls.

This settlement agreement makes clear the importance of reviewing your HIPAA Security requirements and ensuring that employees are properly trained on protection of PHI and electronic PHI.

BAS can assist with developing customized HIPAA Privacy and Security training for your employees. For more information about our service, please email

Topics: MyEnroll360 Security

Recent Posts

Question of the Week

read more

Security Access Roles

read more

MyEnroll360 Complete ACA Compliance and Administration Software

read more