HHS-OCR HIPAA Settlement Bulletin Highlights the Potential Impact of Unpatched and Unsupported Software

The Department of Health and Human Services, Office for Civil Rights (OCR) recently released a bulletin outlining the terms of a settlement with Anchorage Community Mental Health Services (ACMHS) over potential violations of the HIPAA Security Rule. According to the bulletin, ACMHS has agreed to “pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.”

OCR initiated an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) involving 2,743 individuals. The breach of information was related to malware that compromised the security of ACMHS’ information technology resources. The bulletin details that the investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but the policies were not followed. Further, the security incident that resulted in the breach of ePHI “was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”

The resolution agreement provides that ACMHS will pay the $150,000 settlement amount, implement a corrective action plan and report on the state of its compliance to OCR for a two year period. The resolution agreement is available here.

The ACMHS settlement is a reminder for HIPAA covered entities and business associates that HIPAA compliance is an ongoing effort. It requires more than just the adoption of policies and procedures; covered entities and business associates must make sure those policies are effectively implemented and that staff members are trained to follow them.   As noted in the OCR bulletin, risks to ePHI need to be assessed on a regular basis, including reviews of systems to identify unpatched vulnerabilities and unsupported software.

Speak Your Mind