HIPAA Settlement Requires Covered Entity to Establish New Policies and Procedures, Training and Documentation
Anchorage Community Mental Health Services, Inc. (“ACMHS”), has agreed to pay $150,000 and has entered into a Corrective Action Plan (“CAP”) to correct deficiencies in its HIPAA compliance program.* The CAP provides among other things that ACMHS must (1) Adopt and implement an HHS approved Security Policy andProcedure, (2) Provide Security Awareness training to staff annually, (3) Conduct risk assessment and (4) Maintain documentation of compliance for 6 years.
ACMHS is a nonprofit community mental-health care provider defined as a “Covered Entity” under 45 C.F.R. § 160.103, and thus is required to comply with the HIPAA Rules.
ACMHS notified the HHS Office for Civil Rights (OCR)** about a breach of unsecured electronic protected health information (e-PHI) affecting 2,743 individuals resulting from malware compromising the security of its information technology system. This is an example of a security breach that ensued because the covered entity did not identify and address some rudimentary risks; it did not regularly update its IT systems with new patches and it was using out-of-date and unsupported software.
The Alleged Breach
OCR’s commenced an investigation regarding ACMHS’s compliance with the Privacy, Security, and Breach Notification Rules. OCR’s investigation showed the following:
- “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS (See 45 C.F.R. § 164.308(a)(1)(ii)(A))”
- “ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate level (See 45 C.F.R. § 164.308(a)(1)(ii)(B));” and
- “ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network (See 45 C.F.R. § 164.312(e)) by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”
CAP Key Obligations
- Revision and Distribution of Policies and Procedures
- ACMHS shall provide HHS with and officially adopt a revised Security Rule Policies and Procedures
- ACMHS shall distribute its revised Security Rule Policies and Procedures to all members of the workforce who use or disclose e-PHI and to new members of the workforce who will use or disclose e-PHI within thirty (30) days of their beginning of service. And ACMHS shall deliver, in tandem with the Policies and Procedures, general security awareness training
- ACMHS shall obtain a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by the Security Rule Policies and Procedures and shall maintain copies of the certifications
- Training
- ACMHS shall provide HHS with general security awareness training materials for all workforce members who use or disclose e-PHI and receive HHS approval of the training
- ACMHS shall provide general security awareness training for each workforce member who uses or discloses e-PHI and annually thereafter, and to new member of the workforce who uses or discloses e-PHI within thirty (30) days of their beginning of service.
- Each workforce member who is required to receive training must certify that he or she received the training.
- ACMHS shall review the training at least annually, and, where appropriate, update the training to reflect any changes in Federal law or HHS guidance, any issues discovered during audits or reviews, or any other relevant developments.
- Security Management Process.
- ACMHS shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by ACMHS and document the security measures ACMHS implemented or is implementing to reduce the identified risks and vulnerabilities.
- Document Retention
- ACMHS shall maintain for inspection and copying, and shall provide to OCR upon request, all documents and records relating to compliance with this CAP for six (6) years from the Effective Date
If CAP is Breached
If ACMHS breaches the CAP, and fails to cure the breach as outlined in the CAP, then ACMHS will be in breach of this Agreement and HHS may bring actions against ACMHS under the Privacy, Security, and Breach Notification Rules arising out of or related the above mentioned occurrences.
* The settlement is not an admission of liability by ACMHS, nor is it a concession by HHS that ACMHS is not in violation of the Privacy Rule, the Security Rule, or the Breach Notification Rule and that ACMHS is not liable for civil money penalties. It was entered into by the HHS and ACMHS in the interest of avoiding the uncertainty, burden, and expense of further investigation and formal proceedings.
** The United States Department of Health and Human Services, Office for Civil Rights (“HHS”), enforces the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”), and the Federal standards for notification in the case of breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and D of 45 C.F.R. Part 164, the “Breach Notification Rule”).