A recently announced settlement between Anchorage Community Mental Health (“ACMHS”) and the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) emphasizes, once again, the importance of compliance with the Security Rule and keeping IT infrastructure up to date.  ACMHS, a five-facility nonprofit organization based in Anchorage, agreed to pay $150,000 and adopt a corrective action plan to address compliance with the HIPAA Security Rule. 

OCR began investigating ACMHS after ACMHS reported a breach of unsecured electronic protected health information (e-PHI) caused by malware involving 2,700 individuals in March 2012.  In its investigation, OCR concluded that ACMHS failed to conduct a thorough risk assessment, failed to implement Security Rule policies and procedures, and failed to implement technical security measures to protect e-PHI through the use of firewalls and regularly supported and updated software.  OCR’s bulletin announcing the settlement noted that though ACMHS had adopted sample Security Rule policies and procedures, it failed to follow those policies and procedures. 

OCR has repeatedly emphasized the importance of conducting risk assessments and continuing to update and revise risk assessments based on new threats.  This emphasis was a key takeaway from the September Joint OCR/NIST HIPAA Security Conference, which we previously profiled, and was highlighted by OCR’s release of a Security Risk Assessment Tool earlier this year.  The ACMHS settlement underscores that Security Rule compliance cannot be accomplished with a one-size-fits-all, “check the box” approach.  Instead, compliance requires entities to undertake a thorough and tailored risk assessment and to routinely assess new threats and vulnerabilities. 

The resolution agreement and a copy of the corrective action plan are available on OCR’s website.