On Monday, December 8th, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), issued a bulletin about its $150,000 settlement with Anchorage Community Mental Health Services (ACMHS), relating to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. OCR’s bulletin is available here. The settlement agreement is available here.
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities to provide notification to HHS following a breach of unsecured protected health information. After notification is provided, OCR investigates whether covered entities complied with the applicable provisions of the Privacy and Security Rules. If OCR identifies violations, it may pursue a civil money penalty in the amount of $100-$50,000 per violation, up to a maximum penalty of $1.5 million for identical violations. In determining the appropriate amount of a penalty, OCR will consider several factors, including the nature and extent of the violation, the nature and extent of resulting harm, the covered entity’s history of compliance, and the covered entity’s financial condition.
ACMHS is a five-facility, nonprofit organization providing behavioral health care services in Anchorage, Alaska. On March 2, 2012, ACMHS reported a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. The breach occurred over the span of approximately two weeks, from December 20, 2011, through January 4, 2012. The breach was caused by malware that had been installed on a desktop computer.
OCR initiated an investigation and alleged that ACMHS violated HIPAA’s Security Rule in at least three ways. First, OCR alleged that ACMHS failed to conduct an accurate and thorough assessment of the potential risks to the confidentiality and availability of its ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A). OCR provides a Security Rule Risk Assessment Tool, which is available here. Second, although ACMHS adopted sample policies and procedures requiring the implementation of security measures, OCR alleged ACMHS altogether failed to implement its policies and procedures, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B). Third, OCR alleged ACMHS failed to implement basic technical security measures to guard against a breach, including ensuring that adequate firewalls were in place and that information technology resources were both supported and regularly updated with available patches. The bulletin describes these measures as part of a “common sense approach to assessing and addressing the risks to ePHI on a regular basis[.]”
ACMHS complied with OCR’s investigation and ultimately agreed to settle the alleged violations for a total civil monetary penalty of $150,000. In addition to the penalty, the settlement agreement includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for two years.
The settlement highlights an important issue for HIPAA covered entities. As the health care industry rapidly transitions towards technology-based care, proper compliance requires frequently assessing ePHI security risks and updating protective measures. It is not enough to simply adopt model security policies and procedures. Policies and procedures must be effectively implemented, periodically renewed and updated as necessary to address new threats and changes in the organization's operations and structure.
Hooper, Lundy & Bookman assists clients with federal and state medical-privacy law compliance, including assessing and addressing security risks and responding to breaches of privacy.
For more information, please contact: In San Francisco, Steve Phillips or Paul Smith at 415.875.8500; in Los Angeles, Hope Levy-Biehl or Amy Joseph at 310.551.8111; in San Diego, Jennifer Hansen or Stanton Stock at 619.744.7300; and in Washington, D.C., Kelly Carroll. 202.580.7700.