Recent Court Case Proves HIPAA Compliance Is Ongoing Process
February 15, 2016
When many people think of “becoming” HIPAA compliant, they think of a one-time goal that, once achieved, they are done. Nothing could be further from the truth as demonstrated by a recent lawsuit against a healthcare organization in Alaska.
Anchorage Community Mental Health Services (ACMHS) was found liable for a security breach involving “unsecured electronic protected health information” (ePHI) for more than 2,700 patients of the mental health firm had to pay a large settlement due to the breach, which was caused by computer malware that infected ACMHS’ IT sysems.
The settlement proves that meeting HIPAA security requirements is not a one-time event, but a continual process of checks and balances. Proper risk management is vital as data breach and security investigations often conclude that many incidences could have been avoided with reasonable risk assessmentprotocols.
According to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), ACMHS failed to perform some vital security functions. The organization neglected to assess potential risks for a period of seven years and, therefore, didn’t implement appropriate security measures to reduce its risk of a breach. ACMHS also failed to enact safety measures that would limit access to ePHI, and neglected to update its IT systems with new patches and firewalls for nearly four years.
As a result, ACMHS agreed to pay a $150,000 fine and implement a Corrective Action Plan (CAP). Among the requirements of the CAP, ACMHS must:
- Provide security awareness training to employees who use ePHI
- Conduct an annual assessment of potential risks and vulnerabilities
- Notify HHS of security breaches within 30 days
- Make an annual report detailing what, if any, security breaches occurred
- Keep the appropriate documents on hand for inspection purposes