Recent HHS Settlement Highlights Importance of Updating HIPAA Compliance Programs

Holland & Knight LLP

On December 8, 2014, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) announced a resolution agreement with Anchorage Community Mental Health Services, Inc. (ACMHS). The agreement, which involved a payment of $150,000 and a corrective action plan, resulted from a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. Malware in ACMHS's system caused the breach. This settlement highlights the importance of regularly updating HIPAA compliance programs, conducting periodic risk analyses, and implementing measures to mitigate risk. In the settlement agreement, OCR observed that, from the April 21, 2005 compliance deadline for the Security Rule, until March 2, 2012 when the breach occurred, ACMHS had not conducted an accurate and thorough assessment of the risks and vulnerabilities to the security of ePHI. ACMHS also allegedly failed to implement required policies and procedures, as well as technical security measures to guard against unauthorized access to ePHI. Specifically, the company allegedly did not ensure that firewalls were in place and did not regularly update its systems with available software patches.

The corrective action plan requires ACMHS to take a number of actions over a two year period. These include updating its Security Rule policies and procedures in accordance with any recommendations from HHS. ACMHS must also distribute the policies and train its workforce members regarding them. Each workforce member must sign a document indicating that they have read, understand, and will abide by the policies. The agreement requires workforce training every twelve months, and new employees must be trained within thirty days of beginning work. Workforce members must also certify in writing that they were trained. The training must be reviewed at least annually and updated when appropriate to address changes in laws or regulations, any issues discovered during audits or reviews, or other relevant developments. The corrective action plan also requires an annual risk analysis. ACMHS must make annual reports to HHS regarding its compliance with the corrective action plan, and must report any compliance failures within 30 days.

This latest OCR settlement highlights the fact that a "set it and forget it" approach to HIPAA compliance is insufficient. Policies, procedures, training and risk analyses must be reviewed periodically and updated as necessary. The agreement also suggests that these reviews, updates, and training should be conducted regularly. Read the full settlement and summary.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.