State agrees to pay $1.7-million fine for possible HIPAA violations

The Alaska Department of Health and Social Services has agreed to pay $1.7-million to the federal government to settle possible HIPAA violations.

HIPAA is short for the Health Insurance Portability and Accountability Act – the federal law governing privacy of medical records.

In October 2009, a portable hard drive – possibly containing patient information for up to 2,000 Alaskans – was stolen from the personal vehicle of a Department of Health and Social Services employee. DHSS immediately reported the theft to the U.S. Department of Health and Human Services. That sparked a federal investigation, which found numerous flaws in the state’s handling of devices containing electronic medical records.

Susan McAndrew – Deputy Director for Health Information Privacy with the U.S. Department of Health – says DHSS did a poor job tracking its digital storage devices and protecting the information on them.

“What we found when our investigators went on site and got documentation from the state were some fundamental and longstanding problems of non-compliance,” McAndrew says. “And in particular in this case, a lack of control over portable media devices.”

DHSS Chief Security Officer Thor Ryan says the timing of the theft was unfortunate. The department was in the middle of a password encryption project making it harder to access lost or stolen information. That project has since been completed, and Ryan says the department has implemented new policies that further protect patient information.

“We have a password policy,” Ryan says. “And we also have annual training for all of our staff that trains them in the correct crafting of passwords, requires complex passwords and there are HR consequences if people choose to share their passwords inappropriately.”

The settlement agreement was finalized on Friday. In addition to the $1.7-million fine, McAndrew says DHSS will be required to prove compliance with its new policies for three years.

Ryan says the state hasn’t received any reports of the information on the stolen hard drive being used for illicit purposes.