Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware. According to the HHS press release:
OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.
According to the Resolution Agreement, OCR uncovered the following HIPAA violations:
- ACMHS failed to conduct an accurate and thorough risk assessment.
- ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
- ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network. Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years. The Corrective Action Plan requires ACMHS to implement the following changes:
- Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
- Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
- Provide training on security awareness to all workforce members and annual training thereafter.
- Perform an accurate and thorough risk assessment.
- Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
- Provide annual reports to HHS.
ACMHS’ settlement provides three key takeaways for covered entities and business associates:
1) Patch & Update. Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating. Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.
2) Tailor the Security Policies and Procedures. Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI. HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate. The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.
3) Security Risk Analysis. Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually). The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI. HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.
For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.