Failure to Follow HIPAA Policies Results in $150, 000 Liability and Corrective Action Plan

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/failure-to-follow-hipaa-policies-results-72603/

The U.S. Department of Health and Human Services, Office for Civil Rights
(HHS-OCR) has recently released information about another HIPAA settlement,
emphasizing yet again the government's focus on the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Security Rule. The
settlement underscores that organizations cannot merely adopt HIPAA
policies but that they must actually implement and follow those policies in
practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage
Community Mental Health Services (ACMHS), a nonprofit organization
providing behavioral health care services in Anchorage, Alaska, agreed to
settle potential violations of the HIPAA Security Rule. HHS-OCR opened an
investigation upon receiving notification from ACMHS regarding a breach of
unsecured electronic protected health information (ePHI). The breach was
the result of a malware that compromised the security of ACMHS' information
technology (IT) resources and affected 2,743 individuals. During its
investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security
Rule policies and procedures in 2005, but these policies and procedures
were not followed. Significantly, ACMHS may have avoided the breach (and
would not be subject to the HHS-OCR settlement agreement) if it had
followed the policies and procedures it adopted and regularly updated its
IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a
corrective action plan to correct deficiencies in its HIPAA compliance
program and to report to HHS-OCR on the state of its compliance for two
years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements
arising from an HHS-OCR investigation prompted by an organization
self-reporting a breach of unsecured ePHI; however, HHS-OCR may also
examine an organization's HIPAA compliance program after receiving a
complaint or as part of its annual audit protocol. In every instance,
HHS-OCR will expect an organization to have fully implemented its HIPAA
compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires
organizations (among other things) to address risks to ePHI on a regular
basis and to review systems for vulnerabilities and unsupported software.
Organizations cannot simply adopt HIPAA policies and procedures and then
place those documents on a shelf. HIPAA compliance programs must be dynamic
and reviewed and updated on a regular basis to reflect changes within the
organization, including discovered vulnerabilities and ever-evolving
external threats. Threats to ePHI are real and can have a devastating
impact on a business – and patients' privacy. All organizations subject to
HIPAA, regardless of size, must devote the necessary resources to protect
the organization's data from these threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!