This post was written by Brad Rostolsky and Jeremy Alexander.
On December 8, 2014, the HHS Office for Civil Rights (OCR) announced that it has agreed to settle potential HIPAA Security Rule violations with Anchorage Community Mental Health Services (ACMHS), a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska. ACMHS has agreed to pay $150,000 to settle potential violations of HIPAA following an OCR investigation triggered by a self-reported breach that affected 2,743 individuals.
The breach, reported by ACMHS on March 2, 2012, was allegedly caused by malware compromising the security of its information technology resources. OCR noted that the breach was a direct result of ACMHS “failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
On June 1, 2012, OCR notified ACMHS of OCR’s investigation regarding ACMHS’s compliance with the Security Rule. Per the Resolution Agreement, the investigation revealed that ACMHS: (1) failed to conduct an accurate and thorough security risk assessment and failed to implement security measures to reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate level; and (2) failed to implement technical security measures to guard against unauthorized access to e-PHI by failing to ensure that: (a) firewalls were in place with threat identification monitoring of inbound and outbound traffic; and (b) information technology resources were both supported and regularly updated with available patches.
In addition to the $150,000 settlement, the Resolution Agreement between ACMHS and OCR included a corrective action plan, which requires ACMHS to, among other things: (1) revise its Security Rule policies and procedures for OCR review; (2) provide general security awareness training to its workforce members; (3) annually conduct a risk analysis; (4) notify OCR of certain reportable events; and (5) submit annual reports to OCR related to the preceding obligations.
As we have previously noted in connection with a March 2014 settlement in which Skagit County in northwest Washington State agreed to pay $215,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules, many HIPAA enforcement actions since 2012 continue to result from a breach self-report used by OCR as an opportunity to conduct a de-facto/backdoor audit of the entity’s general HIPAA compliance. In addition, OCR continues to frequently hammer entities that fail to comply with the obligation to conduct a comprehensive Security Rule risk analysis.
Given the current environment of increased OCR enforcement, it is highly recommended that regulated entities implement the basic elements of HIPAA compliance—performance of a Security Rule risk analysis, implementation of sufficient policies and procedures, and adequate training of workforce members. OCR noted in the bulletin summarizing this settlement that ACMHS had “adopted sample policies and procedures in 2005, but these were not followed.” Therefore, regulated entities should be aware that merely adopting the required Security Rule policies and procedures will often fall short of OCR’s expectations; the ongoing and active monitoring and implementation of administrative, physical and technical safeguards is a necessary part of meeting compliance obligations. OCR specifically emphasized that it believed ACMHS failed to implement specific technical safeguards, including firewalls and security patches, suggesting that regulated entities should ensure that technical safeguards are frequently monitored and updated.
ACMHS did not admit any liability in the agreement and OCR did not concede that ACMHS was not liable for civil monetary penalties.
For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.