Sample HIPAA Policies Lead to a Big Fine

Don’t just copy someone else’s HIPAA policies and procedures. HIPAA compliance may be painfully boring or complicated; but, practitioners need to do the work. HIPAA compliance requires some thought and analysis about the practitioner’s collection, use, storage, and disclosure of patient information. Regulations require a risk analysis and implementation of procedures designed to keep information secure.

Anchorage Community Mental Health Services, Inc. (ACMHS) copied sample HIPAA policies and procedures and never followed them. For seven years, ACMHS never conducted a risk analysis or implemented required HIPAA policies and procedures. ACMHS did the work only after the clinic discovered a computer infection and reported a breach of data.  

A subsequent investigation by the Office of Civi Rights (OCR), responsible for enforcement of HIPAA privacy, revealed the “fake work” and lack of attention including the failure to keep anti-virus and anti-malware software up to date. According to the OCR Bulletin on the enforcement action:

OCR opened an investigation after receiving notification from ACMHS regarding a breach of
unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to
malware compromising the security of its information technology resources. OCR’s
investigation revealed that ACMHS had adopted sample Security Rule policies and procedures
in 2005, but these were not followed. Moreover, the security incident was the direct result of
ACMHS failing to identify and address basic risks, such as not regularly updating their IT
resources with available patches and running outdated, unsupported software.

Among the findings of the OCR investigation were the following:

A. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by ACMHS (See 45 C.F.R. § 164.308(a)(1)(ii)(A));
B. From April 21, 2005, the compliance date of the Security Rule, until March 12, 2012, ACMHS failed to implement policies and procedures requiring implementation of security measures sufficient to reduce risks and vulnerabilities to its e-PHI to a reasonable and appropriate level (See 45 C.F.R. § 164.308(a)(1)(ii)(B)); and
C. From January 1, 2008, until March 29, 2012, ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network (See 45 C.F.R. § 164.312(e)) by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.

 ACMHS agreed to pay a fine of $150,000 and to do the work it should have done in the first place.