Alaska Provider Reaches HIPAA Settlement with OCR for Security Deficiencies

On December 8, 2014, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that Anchorage Community Mental Health Services (“ACMHS”) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  ACMHS will pay a $150,000 penalty and also enter into a two year Corrective Action Plan (“CAP”) to improve its HIPAA security compliance program.

OCR first learned of the potential HIPAA violations upon receipt of a security breach report from ACMHS in March 2012.  At that time, ACMHS reported that the electronic protected health information (“ePHI”) of 2,743 people on its system had been compromised as a result of malware jeopardizing its electronic resources.  Upon investigation, OCR discovered that ACMHS had adopted outdated HIPAA security policies but never implemented them, and also that ACMHS had failed to regularly update IT resources with available patches.  Pursuant to its CAP, ACMHS will adopt and distribute HIPAA security policies and procedures that are up to date.  ACMHS will also conduct training of its workforce, institute a security management process, and promptly submit reports of non-compliance with HIPAA to OCR.

Regarding this settlement, OCR Director Jocelyn Samuels explained that “successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”  Entities subject to HIPAA are advised to ensure that electronic systems have been appropriately updated and that important security patches have been downloaded.

This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.

Leave a comment

Filed under Government Enforcement, Health Information Privacy, Health IT, HIPAA, HIPAA Omnibus Rule, HITECH Act, Privacy and Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s