On December 2, 2014, the Anchorage Community Mental Health Services (ACMHS) agreed to pay $150,000 under a settlement agreement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. ACMHS entered the settlement agreement after an OCR investigation revealed that ACMHS had failed to implement adequate security measures to guard against unauthorized access to electronic protected health information (e-PHI). The settlement underscores the importance of regularly reviewing and addressing risks to e-PHI.
OCR launched an investigation after ACMHS reported a breach of unsecured ePHI from malware compromising the security of its information technology resources. OCR concluded that ACMHS had failed to thoroughly assess potential risks to its e-PHI, implement policies and procedures that would reduce e-PHI vulnerabilities to a reasonable level, and identify and address basic risks, such as running outdated, unsupported software. Also, even though it had adopted sample Security Rule policies and procedures in 2005, OCR found that ACMHS had not followed those policies and procedures.
Along with paying $150,000 to settle these potential HIPAA violations, ACMHS will implement a corrective action plan and regularly report its compliance with HIPAA requirements to OCR during the next two years. This settlement highlights the need for organizations handling PHI to regularly review and update the administrative, physical, and technical safeguards that protect the security of this information. OCR and the Office of the National Coordinator for Health Information Technology offer a free Security Rule Risk Assessment Tool to assist in this review.