Not only can you not avoid HIPAA compliance by being a small covered entity (see my April 18, 2012, blog post), but you can’t avoid it by being a state agency, either. The U.S. Department of Health and Human Services (“DHHS”) recently entered into a settlement agreement with Alaska’s Department of Health and Social Services (“DHSS”) after it had reported to DHHS, as required by the HITECH Act, the theft of a portable electronic storage device (USB hard drive) possibly containing electronic protected health information (“EPHI”) from the vehicle of an employee of the office. OCR’s investigation revealed that Alaska’s Medicaid office did not have adequate policies and procedures in place to safeguard electronic PHI. Further, the evidence indicated that the entity had not completed a risk analysis, had not implemented sufficient risk management measures, had not completed security training for its workforce members, had not implemented device and media controls, and had not addressed device and media encryption, as required by the HIPAA Security Rule.

Under the terms of the settlement agreement, Alaska’s DHSS agreed to pay $1.7 million and to enter into a corrective action plan.

OCR Director Leon Rodriguez said in a press release that the Alaska case was “OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”