When many people think of “becoming” HIPAA compliant, they think of a one-time goal that, once achieved, they are done. Nothing could be further from the truth as demonstrated by a recent lawsuit against a healthcare organization in Alaska.
Anchorage Community Mental Health Services (ACMHS) was found liable for a security breach involving “unsecured electronic protected health information” (ePHI) for more than 2,700 patients of the mental health firm had to pay a large settlement due to the breach, which was caused by computer malware that infected ACMHS’ IT sysems.
The settlement proves that meeting HIPAA security requirements is not a one-time event, but a continual process of checks and balances. Proper risk management is vital as data breach and security investigations often conclude that many incidences could have been avoided with reasonable risk assessmentprotocols.
According to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), ACMHS failed to perform some vital security functions. The organization neglected to assess potential risks for a period of seven years and, therefore, didn’t implement appropriate security measures to reduce its risk of a breach. ACMHS also failed to enact safety measures that would limit access to ePHI, and neglected to update its IT systems with new patches and firewalls for nearly four years.
As a result, ACMHS agreed to pay a $150,000 fine and implement a Corrective Action Plan (CAP). Among the requirements of the CAP, ACMHS must:
- Provide security awareness training to employees who use ePHI
- Conduct an annual assessment of potential risks and vulnerabilities
- Notify HHS of security breaches within 30 days
- Make an annual report detailing what, if any, security breaches occurred
- Keep the appropriate documents on hand for inspection purposes
ACMHS was fortunate that OCR did not assign a monitor to oversee its CAP. Having a monitor increases the cost of CAP implementation considerably.
Remember – HIPAA compliance is not something you can put in place and then forget about. It needs to be an ongoing effort if you are to avoid fines and costly CAPs.
Feel free to contact us if you need help with any aspect of HIPAA compliance.