On December 8, 2014, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Anchorage Community Mental Health Services, Inc. (ACMHS). The agreement, which involved a payment of $150,000 and a corrective action plan, resulted from a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. Malware in ACMHS's system caused the breach. This settlement highlights the importance of regularly updating HIPAA compliance programs, conducting periodic risk analyses, and implementing measures to mitigate risk. In the settlement agreement, OCR observed that, from the April 21, 2005 compliance deadline for the Security Rule, until March 2, 2012 when the breach occurred, ACMHS had not conducted an accurate and thorough assessment of the risks and vulnerabilities to the security of ePHI. ACMHS also allegedly failed to implement required policies and procedures, as well as technical security measures to guard against unauthorized access to ePHI. Specifically, the company allegedly did not ensure that firewalls were in place and did not regularly update its systems with available software patches.
The corrective action plan requires ACMHS to take a number of actions over a two year period. These include updating its Security Rule policies and procedures in accordance with any recommendations from HHS. ACMHS must also distribute the policies and train its workforce members regarding them. Each workforce member must sign a document indicating that they have read, understand, and will abide by the policies. The agreement requires workforce training every twelve months, and new employees must be trained within thirty days of beginning work. Workforce members must also certify in writing that they were trained. The training must be reviewed at least annually and updated when appropriate to address changes in laws or regulations, any issues discovered during audits or reviews, or other relevant developments. The corrective action plan also requires an annual risk analysis. ACMHS must make annual reports to HHS regarding its compliance with the corrective action plan, and must report any compliance failures within 30 days.
This latest OCR settlement highlights the fact that a "set it and forget it" approach to HIPAA compliance is insufficient. Policies, procedures, training and risk analyses must be reviewed periodically and updated as necessary. The agreement also suggests that these reviews, updates, and training should be conducted regularly. Read the full settlement and summary.
