$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.
As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.
In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.
Saul Ewing attorneys have experience with reviewing and drafting HIPAA privacy rule and security rule policies and procedures, creating and reviewing business associate agreements for covered entities and business associates and advising clients on HIPAA compliance, generally. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.