In 2012, the Office for Civil Rights (OCR), a part of the U.S. federal Department of Health and Human Services, levied a $1.7 millon fine against the State of Alaska’s Department of Health and Human Services based on the theft of a stolen portable electronic storage device containing electronic PHI. The OCR instructed DSHS to implement a risk management program in accordance with the HIPAA Privacy and Security rules within a year or be subject to a similar fine due to a recent data breach.

The State had already tried to implement a risk analysis program across multiple divisions with little success. The organizational change push-back was too overwhelming. Time had passed and DSHS now only had less than six months to comply with the OCR or risk a hefty fine. This was a highly visible, high risk effort with a challenging history.

TrueCourse embraced the challenge and proved its leadership ability by conducting quick interviews to support the creation of an approved Risk Management plan that included a policy, user guide, process steps, timeline, compliance database and executive presentations. We then conducted iterative training sessions around the State and held departments accountable to action items to realize the control objectives of the Risk management plan.

The OCR approved the overall plan package and praised the State of Washington for executing the plan so well. Specifically, the OCR was particulalry impressed with how DSHS orchestrated well structured automation, business processes, project management, "go-to" organizational change and executive communication to overcome an extreme hurdle. This resulted in the OCR dropping all investigations and using DSHS as an example for other States' compliance requirements.

Business Sector:

Healthcare and Human Services

TrueCourse's dedicated healthcare team has years of public sector experience and understands how to navigate the numerous technology challenges that public healthcare and human services organizations face.

Learn More

Services implemented to this customer:

Security and Audits

Enterprise-wide risk and security assessments using HIPAA, NIST and ISACA standards.

Learn More