Mental Health Service Fined $150K for Ignoring HIPAA

Anchorage Community Mental Health Services will pay a $150,000 settlement fine and adopt a corrective action program for failure to substantially comply with the HIPAA security rule since its compliance date in 2005.

The settlement with the HHS Office for Civil Rights, which enforces HIPAA, comes after malware compromised protected health information for 2,743 individuals. OCR in an investigation found that ACMHS adopted sample security rule policies and procedures in 2005, but did not follow or update them until after the breach occurred in March 2012.

Among other violations, ACMHS did not conduct a risk assessment or implement security measures to mitigate risk, failed to implement measures such as firewalls and threat monitoring monitoring to guard against access to protected information transmitted over a network, and did not regularly update with patches until after the breach.

Under the corrective action plan, ACMHS must provide updated versions of security rule policies and procedures and revise accordingly if OCR recommends, distribute policies and procedures to staff and train them on general security awareness, conduct annual risk assessments and document security measures implemented or implementing, and report to OCR any failures to comply and steps taken to mitigate harm and prevent reoccurrence. ACMHS must report to OCR for two years and retain documents related to compliance for six years.

The fine is the sixth that HHS/OCR has levied against a HIPAA covered entity during 2014, but the first since late June. The resolution agreement with Anchorage Community Mental Health Services and the corrective action plan are available here.

For reprint and licensing requests for this article, click here.