On December 2, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. (ACMHS) for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
OCR began its investigation after ACMHS reported a malware-related breach of unsecured ePHI on March 12, 2012. OCR stated that the breach was the direct result of ACMHS’ failure to “identify and address basic risks” to the security and confidentiality of ePHI in its custody. ACMHS adopted sample Security Rule policies and procedures in 2005, but apparently did not implement them until OCR’s investigation began in 2012. OCR’s review of the ACMHS IT infrastructure revealed critical shortcomings including unpatched systems running outdated or unsupported software, and inadequate firewalls with insufficient threat identification monitoring of inbound and outbound traffic.
The ACMHS settlement emphasizes three key takeaways for HIPAA covered entities and business associates:
- Tailor Security Rule compliance programs. Although the HIPAA Security Rule provides flexibility to entities in choosing the most appropriate compliance strategies, each organization must (1) conduct an accurate and thorough assessment of the particular risks facing ePHI held by the entity and (2) tailor its policies and procedures to adequately address those risks. This settlement demonstrates that a “one size fits all” approach based on template policies and procedures will not suffice for Security Rule compliance.
- Conduct regular and thorough risk assessments. As OCR and NIST emphasized in a September conference on safeguarding health information, comprehensive risk analysis and risk management are two cornerstones of an effective IT security program. In its press release regarding the ACMHS settlement, OCR highlighted its Security Rule Risk Assessment Tool released in March 2014, which was developed to assist small- to medium-size providers with conducting risk assessments.
- Regularly patch and update software. The OCR investigation determined that the breach suffered by ACMHS may have been preventable had its employees regularly patched known vulnerabilities and kept software up to date. OCR also identified the need for entities to maintain threat identification monitoring, which is significant given the dynamic and evolving cybersecurity threat landscape.
In addition to the monetary payment, the settlement agreement imposes a two-year corrective action plan. The ACMHS settlement follows a series of enforcement actions in which OCR has entered into resolution agreements and corrective action plans with HIPAA covered entities for alleged violations of the Privacy, Security, and Breach Notification Rules. In the past two years, OCR has entered into twelve HIPAA resolution agreements, with settlements totaling over $11.7 million. As OCR prepares to roll out the next phase of its audit program, which will be used as an enforcement tool and may lead to full-scale compliance reviews, HIPAA-regulated entities should examine their security practices to ensure they are appropriately managing risks to ePHI—which includes reviewing systems and applications for unpatched vulnerabilities or unsupported software.