The latest Office for Civil Rights (OCR) HIPAA settlement announced on December 8, 2014 highlights the OCR’s recent and continuing focus on the Security Rule. Anchorage Community Mental Health Services (ACMHS) agreed to settle potential HIPAA violations with a $150,000 fine and the adoption of a corrective action plan. This matter was prompted by ACMHS’ report to OCR of a breach of electronic protected health information (PHI) affecting about 2,700 individuals. The OCR determined that the incident was the direct result of ACMHS’ failure to identify and address basic risks such as running outdated and unsupported software, and failure to regularly update software patches. The OCR also noted that while ACMHS had adopted “sample” Security Rule policies and procedures in 2005, such policies and procedures were not followed.
This latest settlement provides the following key reminders to those subject to HIPAA:
- The Security Rule, which relates to electronic PHI, continues to be a focus of the OCR;
- A basic requirement of the Security Rule is that Covered Entities and Business Associates should regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the security of electronic PHI;
- Covered Entities and Business Associates should remain current on software and software patches to help avoid malware and other hacking incidents; and
- HIPAA policies and procedures should be meaningful to your organization and should be regularly used, reviewed, and revised as necessary.