The Department of Health and Human Services (HHS) continues to provide important reminders for covered entities and those businesses that receive protected health information (PHI) under HIPAA through recently announced settlement agreements.
This month, Anchorage Community Mental Health Services, a nonprofit providing behavior health care services agreed to settle a potential HIPAA violation for 2,743 patients and their electronic PHI. Malware on the provider system lead to a breach notification from compromised IT resources.
While Anchorage Community Mental Health Services had HIPAA policies, an investigation by HHS concluded they were not followed. The security incident was the direct result of the provider failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software. This meant their system was more susceptible to malware and other risks.
The provider settled for $150,000, the agreement also includes a corrective action plan and requires the provider to report on the state of its compliance to OCR for a two-year period. The Resolution Agreement can be found on the OCR website at:
Read the Resolution Agreement
This settlement is important because it shows that it is not enough to have all the right policies. Those policies must be followed and systems reviewed for unmatched vulnerabilities and unsupported software that can leave PHI unprotected. As the settlement reminds us, HIPAA is an ongoing scheme, not just a "one and done" compliance program. If you need assistance with HIPAA, please contact Kinney & Larson.