On Monday, December 8th, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services announced another new HIPAA settlement. As with most recent settlements, the latest settlement is being used to set up an example of what not to do.
This time, Anchorage Community Mental Health Services (“ACMHS”) has agreed to pay $150,000 after failing to follow the requirements of the HIPAA Security Rule. The settlement is the result of a self-notification filed by ACMHS that malware infected its information technology systems, resulting in a breach impacting approximately 2,743 individuals. When OCR went to investigate, OCR found that ACMHS had implemented security policies. However, ACMHS did not tailor the policies to its own operations, nor did ACMHS actually follow the policies adopted. The lack of adherence resulted in ACMHS not identifying or addressing basic security risks, which deficiencies included not updated its technology resources. The lack of updates left the systems vulnerable to malware.
In addition to paying the fine, ACMHS is required to implement a corrective action plan as prepared by OCR. The corrective action plan last remains in place for 2 years, but should act as the baseline for a good HIPAA compliance plan going forward. The terms of the corrective action plan are fairly straightforward and do not contain any surprises. The requirements are essentially to comply with the HIPAA Privacy and Security Rules, which all covered entities and business associates should do anyway.
As indicated above, the breach in this case was caused by a failure to update software and install patches as necessary. This demonstrates the need to evaluate information technology systems to ensure that the system remains current and up to date. An organization cannot install a piece of software or hardware and expect that it will always serve its purposes. Attacks on systems and exploitation of vulnerabilities are always evolving, which means the systems being attacked must do the same thing.
With regard to the HIPAA Security Rule, organizations should remember that compliance is customizable. The Security Rule recognizes and acknowledges that all organizations are different. As such, certain elements are required and others are addressable. The required elements must be put into place and organizations need to make a case by case assessment on how to deal with the addressable items. A risk analysis is the essential first step as the analysis will identify areas of weakness for an organization.
It is not enough just to do a risk analysis once and then prepare and implement policies though. HIPAA Security Policies must be living, breathing documents that adapt to changing circumstances. An area of high vulnerability in the year of adoption can drop by the wayside a few years down the road while a new, unknown area at first becomes a major risk. The changing environment is why organizations must constantly monitor and evaluate policies to ensure good coverage.
Lastly, putting policies into place and not following them, as was done by ACMHS, is a big problem. When a breach or other instance of non-compliance arises, having unfollowed policies will be a major red flag for the government. If policies are adopted, then an organization is arguably aware of what it had to do in order to comply. Willful or negligent failure to follow the policies then could be ground for a higher fine and other pain being imposed. Education and awareness are essential. Compliance can take up time and it is not always easy to measure the return on investment, but the money that can be saved down the road is likely incalculable.