ÐÇ¿ÕÈë¿Ú

Plus: CMS offers NPI search tip.

If your employee's car gets robbed, you typically don't expect the crime to cost you millions--but that's exactly what happened last week when the Alaska Department of Health and Social Services (DHSS) agreed to pay $1.7 million to settle potential HIPAA violations.

Background: A USB hard drive that potentially contained electronic protected health information (ePHI) was stolen from the car of a DHSS employee, after which the Office for Civil Rights found that DHSS "did not have adequate policies and procedures in place to safeguard ePHI," a Department of Health and Human Services news release said. Further investigation revealed that DHSS had not performed a risk analysis or implemented risk management controls, nor had it addressed device encryption.

The DHSS paid the settlement fee and also agreed to a corrective action plan to comply with the HIPAA Security Rule. "Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices," said OCR Director Leon Rodriguez in a June 26 statement. "This is OCR's first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities."

To read the complete news release, visit .