Latest HIPAA Settlement at $150k for Compromising 2,700 Medical Records

The latest in a string of costly settlements associated with the violation of the HIPAA law highlights the importance of your health care organization closely following HIPAA’s mandates. Is your practice’s IT infrastructure HIPAA compliant? If not, then even an overlooked detail as seemingly-insignificant as updating software will subject you to penalties.

This was the case for Anchorage Community Mental Health Services (ACMHS). Last December, the Office for Civil Rights (OCR) found ACMHS guilty of HIPAA violations which caused a breach of OCR’s electronic protected health information (ePHI), affecting the information belonging to 2,700 individuals.

According to The National Law Review, “The OCR determined that the incident was the direct result of ACMHS’ failure to identify and address basic risks such as running outdated and unsupported software, and failure to regularly update software patches.” For the violations, ACMHS was fined $150,000 and agreed to the adoption of a corrective action plan.

The National Law Review goes on to provide health care organizations with these reminders about what it means to be HIPAA compliant.

• The Security Rule, which relates to electronic PHI, continues to be a focus of the OCR;
• A basic requirement of the Security Rule is that Covered Entities and Business Associates should regularly conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the security of electronic PHI;
• Covered Entities and Business Associates should remain current on software and software patches to help avoid malware and other hacking incidents; and
• HIPAA policies and procedures should be meaningful to your organization and should be regularly used, reviewed, and revised as necessary.

When a regular run-in-the-mill business ignores a security patch or uses unsupported software like Windows XP, they do so at their own risk. If there’s a data breach due to negligence, then heads will roll and the business will be found liable. Without protections like HIPAA in place, the average business has the ability to skate by and take risks like this. HIPAA doesn’t afford health care organizations the luxury to take such risks. Ultimately, laws like HIPAA are best for all parties involved, especially for patients and their personal information.

We can take away from this recent case the importance of your health care organization being HIPAA compliant, down to the smallest detail of your IT infrastructure, like routine maintenances and software updates.

Is your practice’s technology HIPAA compliant? If not, you’re subject to a fine and corrective action by the OCR. For matters as serious as HIPAA compliance, it’s better to be safe than sorry. Call k_Street Consulting, LLC at (202) 640-2737 for a complete evaluation of your healthcare organization’s IT network so that you can worry about what really matters, the health of your patients.