OCR Announces Latest HIPAA Settlement for $150,000: Sends Message on Unpatched and Unsupported Software
On December 2, 2014, the Office for Civil Rights (OCR) entered into a Resolution Agreement with Anchorage Community Mental Health Services, Inc. (ACMHS) following OCR’s investigation of a self-reported compromise of ACMHS’ electronic health information system due to a malware attack that compromised the records of 2,743 individuals. OCR investigated the incident and found that the compromise was the direct result of ACMHS “failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
As has been the case in many of the OCR settlements to date, OCR’s investigation found that ACMHS failed to conduct an accurate and thorough risk assessment, which led to a finding that ACMHS failed to reduce the risks and vulnerabilities to ePHI that “by common sense” would have been detected had the organization reviewed their systems “for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” OCR also specifically noted ACMHS’ adoption of “model” policies and procedures, which were then not followed.
In addition to the payment of $150,000, ACMHS is subject to a corrective action plan which requires it to report its compliance activities to OCR for a two-year period. The corrective action plan requires ACMHS to:
- Revise its Security Rule policies and procedures, obtain approval of such revisions from HHS, and distribute its revised policies and procedures to all members of its workforce with access to ePHI. Such workforce must sign a certification acknowledging understanding of the policies and the obligation to comply.
- Develop security awareness training materials, get approval of such materials from HHS, and provide training to all workforce within 60 days after HHS’s approval, and at least every 12 months thereafter. Each workforce member shall sign a certification confirming training was received.
- Conduct an accurate and thorough risk assessment and document the security measures that will be implemented to reduce the identified risks and vulnerabilities to a reasonable and appropriate level.
- Investigate any potential violation of its security policies and procedures and report any confirmed violations to HHS within 30 days (regardless of whether or not any information was compromised by the policy violation).
The Resolution Agreement and Corrective Action Plan in this case should be a stark reminder to covered entities that policies on a shelf, if not followed, will not provide a defense in the event of a security incident that compromises protected health information. An accurate and thorough risk assessment continues to be of critical importance in the investigation process; documenting the risks to the PHI held by the organization and implementing measures to reduce those risks should be the top priority of security officers for covered entities.