Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

By Erin Fleming Dunlap and Rebecca Frigy, Polsinelli.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business -- and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.