In December 2014, Anchorage Community Mental Health Services (“ACMHS”) entered into a settlement with the HHS Office of Civil Rights (“OCR”) to resolve potential HIPAA Security Rule violations. Under the resolution agreement, ACMHS will pay $150,000.00 and execute a two-year corrective action plan (“CAP”). 

In 2012, ACMHS self-reported to OCR a breach of unsecure electronic protected health information (“ePHI”) due to malware. The breach affected 2,743 patients. OCR’s investigation revealed that although ACMHS had adopted the required Security Rule policies and procedures in 2005, it had not followed them. 

The ACMHS settlement underscores the importance of updating and following adopted policies and procedures; it is not sufficient to simply have them in place.