The Office of Civil Rights (OCR) shared a resolution agreement it reached with Anchorage Community Mental Health Services (ACMHS) in 2014 as a way to emphasize the importance of basic security measures when it comes to HIPAA.
OCR and ACMHS entered into a resolution agreement after ACMHS failed to updates its IT requirements and had unsupported software. This compromise in security led to a breach of 2,743 individual accounts. The investigation by the OCR found that ACMHS adopted sample Security Rule policies, but failed to adhere to them. Not only did they fail to conduct accurate assessments of potential risks, ACMHS even failed to ensure information technology resources were regularly updated. Due to their carelessness, ACMHS paid a $150,000 fine and was required to come up with a corrective action plan. The OCR also required a two-year compliance reporting period from the mental health services provider. Listed below are some tips that can help you avoid being in ACMHS’s situation.
Six Tips to Avoid HIPAA Penalties
Tip #1: Identify software key to the security of information and establish procedures. Maintenance schedules to ensure timely installation of patches and updates.
Tip #2: Identify employees who are responsible for monitoring and installing available patches and updates. Be sure to inform them about the importance of their job and the importance of adhering to HIPAA guidelines.
Tip #3: Ensure firewalls are in place with threat identification monitoring of inbound and outbound traffic.
Tip #4: Adequately support information technology resources.
Tip #5: Regularly conduct security risk assessments, including an evaluation of what risks might be posed by the software and hardware in use, and promptly address areas of high risk.
Tip #6: Implement, follow, and regularly update HIPAA policies and procedures that are developed to address the security risks of your organization, as identified by security risk assessments. Don’t put sample HIPAA policies on a shelf to collect dust, utilize them.
HIPAA was very generous to ACMHS in only fining them $150,000. Unfortunately, they are not always so generous. Following the tips specified above should help you avoid costly HIPAA penalties for your business or organization.
Source referenced: JD Supra