On December 2, 2014, the Anchorage Community Mental Health Services (ACMHS) agreed to pay $150,000 under a settlement agreement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  ACMHS entered the settlement agreement after an OCR investigation revealed that ACMHS had failed to implement adequate security measures to guard against unauthorized access to electronic protected health information (e-PHI).  The settlement underscores the importance of regularly reviewing and addressing risks to e-PHI.

OCR launched an investigation after ACMHS reported a breach of unsecured ePHI from malware compromising the security of its information technology resources.  OCR concluded that ACMHS had failed to thoroughly assess potential risks to its e-PHI, implement policies and procedures that would reduce e-PHI vulnerabilities to a reasonable level, and identify and address basic risks, such as running outdated, unsupported software.  Also, even though it had  adopted sample Security Rule policies and procedures in 2005, OCR found that ACMHS had not followed those policies and procedures.

Along with paying $150,000 to settle these potential HIPAA violations, ACMHS will implement a corrective action plan and regularly report its compliance with HIPAA requirements to OCR during the next two years.  This settlement highlights the need for organizations handling PHI to regularly review and update the administrative, physical, and technical safeguards that protect the security of this information.  OCR and the Office of the National Coordinator for Health Information Technology offer a free Security Rule Risk Assessment Tool to assist in this review.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.