Anchorage Community Mental Health Services ACMHS must pay 150,000 and integrate an action plan to meet HIPAA compliance after the organization had more than 2,700 individuals electronic health information compromised in a cyber attack. OCR opened an investigation into the group’s HIPAA compliance and found that the medical organization violated the “Security Rule.”
The HIPAA Security Rule requires entities who handle electronic protected health information to regularly patch systems and update their IT infrastructure. Although ACMHS had adopted the sample Security Rule policies and procedures in 2005, they were never followed. This lack of patching of IT security systems allowed malware to breach the medical organization’s systems, and, the bulletin says, prompted the settlement.
“This settlement illustrates that covered entities and business associates not only need to adopt the appropriate HIPAA policies, procedures and practices on paper, but they have to “live them” via execution. Keeping software and computer infrastructure patched and current is part of living HIPAA compliant. This gets to heart of negligence related to proper IT controls and management. It’s not enough to just install technology and forget about it, security and patching is an on going task.” said Al Rozell President of InfoTech Innovators.