On December 8, 2014, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that Anchorage Community Mental Health Services (“ACMHS”) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  ACMHS will pay a $150,000 penalty and also enter into a two year Corrective Action Plan (“CAP”) to improve its HIPAA security compliance program.

OCR first learned of the potential HIPAA violations upon receipt of a security breach report from ACMHS in March 2012.  At that time, ACMHS reported that the electronic protected health information (“ePHI”) of 2,743 people on its system had been compromised as a result of malware jeopardizing its electronic resources.  Upon investigation, OCR discovered that ACMHS had adopted outdated HIPAA security policies but never implemented them, and also that ACMHS had failed to regularly update IT resources with available patches.  Pursuant to its CAP, ACMHS will adopt and distribute HIPAA security policies and procedures that are up to date.  ACMHS will also conduct training of its workforce, institute a security management process, and promptly submit reports of non-compliance with HIPAA to OCR.

Regarding this settlement, OCR Director Jocelyn Samuels explained that “successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  Entities subject to HIPAA are advised to ensure that electronic systems have been appropriately updated and that important security patches have been downloaded.