May 29, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

HIPAA Settlement Continues to Emphasize the Importance of Security Policies and Procedures

recently announced settlement between Anchorage Community Mental Health (“ACMHS”) and the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) emphasizes, once again, the importance of compliance with the Security Rule and keeping IT infrastructure up to date.  ACMHS, a five-facility nonprofit organization based in Anchorage, agreed to pay $150,000 and adopt a corrective action plan to address compliance with the HIPAA Security Rule.

OCR began investigating ACMHS after ACMHS reported a breach of unsecured electronic protected health information (e-PHI) caused by malware involving 2,700 individuals in March 2012.  In its investigation, OCR concluded that ACMHS failed to conduct a thorough risk assessment, failed to implement Security Rule policies and procedures, and failed to implement technical security measures to protect e-PHI through the use of firewalls and regularly supported and updated software.  OCR’s bulletin announcing the settlement noted that though ACMHS had adopted sample Security Rule policies and procedures, it failed to follow those policies and procedures. 

OCR has repeatedly emphasized the importance of conducting risk assessments and continuing to update and revise risk assessments based on new threats.  This emphasis was a key takeaway from the September Joint OCR/NIST HIPAA Security Conference. The ACMHS settlement underscores that Security Rule compliance cannot be accomplished with a one-size-fits-all, “check the box” approach.  Instead, compliance requires entities to undertake a thorough and tailored risk assessment and to routinely assess new threats and vulnerabilities. 

The resolution agreement and a copy of the corrective action plan are available on OCR’s website.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...