Among the many data security and breach laws that exist, covered health care providers and health plans must also contend with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A recent settlement with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) emphasizes the importance of not only having a data security policy, but of following and updating such a policy.
OCR recently opened an investigation after receiving notification from Anchorage Community Mental Health Services (ACMHS) regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR's investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.
ACMHS agreed to settle potential violations of the HIPAA Security Rule with HHS by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. "Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis," said OCR Director Jocelyn Samuels. "This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
The ACMHS settlement is just the latest in a string of recent penalties and settlements stemming from alleged HIPAA privacy and security violations. These penalties and settlements should serve as a reminder of how important it is to comply with the HIPAA Privacy and Security Rules. Health care providers and health plan sponsors should review their existing policies and procedures and remain vigilant in their training of employees.