The latest announcement by HHS regarding settlement of an investigation under the HIPAA privacy, security, and breach-notification rules reflects an increased focus by HHS on security-related issues and the need for health plans and other covered entities to take reasonable steps to protect PHI from hacking, viruses, and malware attacks.

Background. The covered entity in this case (a non-profit community mental health services organization) reported a breach affecting the PHI of approximately 2,700 individuals. The breach was caused by a malware attack on the covered entity’s IT system. The system was using outdated software that made it vulnerable to attack. Following the HHS investigation, the covered entity agreed to a settlement that included a cash payment of $150,000 and a two-year corrective action plan.

Keep Your Software Updated! A key takeaway from this case is that covered entities will be held responsible for maintaining a sound IT infrastructure. System software must be kept up-to-date, and appropriate technical security measures must be implemented, such as firewalls capable of threat monitoring.

Common Sense Approach. Although covered entities may have varying degrees of technical sophistication, HHS’s press release emphasized the need for a “common sense approach” to risk mitigation. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave [PHI] susceptible to malware and other risks.”

Adopting Policies Isn’t Enough. Another key takeaway is that adopting policies and procedures to address the HIPAA privacy and security rules is only the beginning of an appropriate HIPAA compliance program. The policies must be implemented, followed, and monitored. That didn’t happen in this case. “OCR's investigation revealed that [the covered entity] had adopted sample Security Rule policies and procedures in 2005, but these were not followed.”

Risk Assessments Are Key. Implementation of a HIPAA security policy involves (among other things) conducting a risk assessment to understand and identify potential risks and then taking steps to address those risks. HHS is unlikely to be forgiving in situations where a security incident could have been prevented by conducting a basic risk assessment and implementing a basic security management plan.

Cooperation Counts. And now for some good news. The press release from HHS makes specific reference to the fact that the covered entity “cooperated with [HHS] throughout its investigation and has been responsive to technical assistance provided to date.” This suggests that covered entities may be able to make even bad situations better by approaching them with the right attitude. The $150,000 settlement paid in this case was not insignificant. But it was far less that the seven-figure settlements paid in other recent cases involving HIPAA breaches.

Something for Everyone. Although this case involved a healthcare provider rather than a health plan, there are lessons in the case for all covered entities. There is every reason to believe health plans will be held to the same security standards under HIPAA as healthcare providers. Health plans need to take stock of potential security concerns and makes sure they have implemented steps to address those concerns using at least a “common sense approach” to security compliance. 

A copy of the HHS press release is here.

A copy of the resolution agreement is here.