The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $150,000 settlement with Anchorage Community Mental Health Services, Inc. (“ACHMS”) in connection with a data breach caused by malware. ACHMS, which provides nonprofit behavioral health care services in Alaska, experienced a breach in March 2012 that affected the electronic protected health information (“ePHI”) of 2,743 individuals. After ACHMS reported the breach to the HHS Office for Civil Rights (“OCR”), OCR investigated ACHMS and found several HIPAA Security Rule violations, including that ACHMS had failed to:
- conduct a risk assessment;
- develop and implement policies and procedures to sufficiently reduce risks to ePHI to a reasonable and appropriate level; and
- ensure that firewalls were in place and that its information technology resources were regularly updated with available patches.
In the resolution agreement, ACHMS agreed to pay a $150,000 settlement to HHS and enter into a Corrective Action Plan that requires ACHMS to:
- submit its HIPAA Security Rule policies and procedures to OCR for review and approval;
- officially adopt and distribute the HIPAA Security Rule policies and procedures after OCR has approved them;
- obtain a signed compliance certification from members of its workforce that they will abide by the HIPAA Security Rule policies and procedures;
- provide security awareness training for its workforce;
- conduct an annual risk assessment that evaluates the risks to ePHI;
- report any events of noncompliance with its HIPAA Security Rule policies and procedures; and
- submit annual compliance reports to HHS for a period of two years.
In the Bulletin accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that HIPAA compliance “requires a common sense approach” and should encompass “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”