Covered Entities and their Business Associates must comply with HIPAA’s Security Rule, or they may face substantial penalties. The Office of Civil Rights (OCR) recently shared a resolution agreement that emphasizes the importance of basic security measures.
Anchorage Community Mental Health Services (ACMHS) recently entered into a resolution agreement with the OCR that includes $150,000 in penalties, a corrective action plan and a two-year compliance reporting period. ACMHS had failed to update its IT resources with available patches and ran outdated, unsupported software; as a result, malware compromised the security of ACMHS’s information technology resources, causing a breach of the unsecured electronic protected health information (ePHI) of 2,743 individuals.
The breach prompted an investigation, in which OCR found that ACMHS:
- Had adopted sample Security Rule policies and procedures but failed to adhere to them
- Failed to conduct accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI
- Failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to e-PHI to a reasonable and appropriate level
- Failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure firewalls were in place with threat identification monitoring of inbound and outbound traffic
- Failed to ensure information technology resources were both supported and regularly updated with available patches.
These blunders are proof positive that oversights in basic IT management can lead to a large-scale breach.
Below are six suggestions on how to avoid such pitfalls and get on top of the basics:
- Identify software key to the security of information and establish procedures and maintenance schedules to ensure timely installation of patches and updates
- Identify employees who are responsible for monitoring and installing available patches and updates
- Ensure firewalls are in place with threat identification monitoring of inbound and outbound traffic
- Adequately support information technology resources
- Regularly conduct security risk assessments, including an evaluation of what risks might be posed by the software and hardware in use, and promptly address areas of high risk
- Implement, follow and regularly update HIPAA policies and procedures that are developed to address the security risks of your organization, as identified by security risk assessments: don’t put sample HIPAA policies on a shelf to collect dust.
One final note: ACMHS was fined $150,000 (rather than millions of dollars) for a substantial failure to adhere to HIPAA requirements and a breach which involved the mental health information of more than 2,500 patients. However, it is unlikely that the amount of HIPAA penalties is generally decreasing. ACMHS is a nonprofit organization which provides mental health services to underinsured and uninsured patients in Anchorage. The relatively modest fine likely shows how OCR takes into account the financial resources and role an organization plays in its community when assessing a fine. Organizations with financial resources that are not so modest should not expect a similarly light outcome.