On December 8, 2014, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with a nonprofit, community mental health care provider (“Provider”) arising out of alleged violations of the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The settlement comes after an HHS Office for Civil Rights (“OCR”) investigation into the Provider’s self-reported breach of unsecured electronic protected health information (“ePHI”) for approximately 2,743 individuals arising from security vulnerabilities caused by malware on its information systems. 

OCR investigated the breach and concluded that, from the effective date of the Security Rule on April 21, 2005 until March 12, 2012, the Provider failed to conduct an accurate and thorough risk assessment of IT system vulnerabilities or to implement HIPAA security policies and procedures. OCR also alleged that from January 1, 2008 until March 29, 2012, the Provider failed to implement technical security measures that may have prevented unauthorized access to ePHI transmitted over the Provider’s electronic communications network, such as firewalls, active system traffic monitoring and regular support and update of information technology resources. Accordingly, HHS and the Provider entered into a Resolution Agreement under which the Provider agreed to pay $150,000 to HHS and to perform the following additional obligations under a Corrective Action Plan:

  • Provide HHS with an updated version of its HIPAA Security Rule policies and procedures and adopt such policies and procedures within 30 days of HHS’s approval;
  • Distribute the revised and adopted HIPAA Security Rule policies and procedures to all workforce members who use or disclose ePHI and obtain and maintain a written acknowledgement from each workforce member that he/she read, understands and will abide by the policies and procedures;
  • Provide general security awareness training at specified times and intervals for those workforce members who use or disclose ePHI and obtain and maintain a written acknowledgement from each workforce member that he/she received the training and review the training at least once annually and update it as necessary;
  • Annually conduct a HIPAA Security Rule assessment of the potential risks and vulnerabilities to ePHI; and
  • Submit an annual report of summaries, updates and attestations of the Provider’s compliance with the Corrective Action Plan, including any compliance failures along with any resulting corrective and preventative action taken.

In the bulletin announcing this enforcement action, OCR Director Jocelyn Samuels was quoted as stating that “[s]uccessful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” and that “this includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

Practical Takeaways

In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:

  • Conducting a risk assessment to determine where vulnerabilities exist in current practices and systems;
  • Identifying and documenting all systems containing ePHI, including inactive systems or data archives, and the procedures that are in place with respect to access and use of those systems;
  • Actively monitoring operations and systems to ensure that technical safeguards are in place and functioning properly for all systems containing ePHI, including ensuring that any such systems are actively supported and patched, as appropriate;
  • Reviewing policies and procedures affecting privacy and security to ensure that they are thorough and complete;
  • Training workforce members on the details of HIPAA policies and procedures; and
  • Consistently enforcing policies and procedures when conduct occurs that is in violation of them.

More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.