Healthcare News & Insights

Proof HIPAA compliance must be an ongoing effort

Hospitals take note: There are some important lessons about compliance to take away from this provider’s recent HIPAA violations settlement. 

490654035Over the past year, the Department of Health & Human Services’ Office for Civil Rights (OCR) has been stepping up its efforts to get providers to take HIPAA compliance seriously. It wants hospitals and other providers to stay vigilant in guarding patients’ privacy and protected health information (PHI).

Yet some providers still mistakenly assume that compliance and PHI security is a “once and done” task that doesn’t require consistent up-keep. This HIPAA violation shows why that’s not the case.

Cautionary tale

Earlier this month, Anchorage Community Mental Health Services Inc. (ACMHS) settled with the OCR over alleged HIPAA Security Rule violations, according to healthcare attorney Edward Zacharias of the law firm McDermott Will & Emory.

ACMHS was under investigation after reporting a breach of over 2,700 patient’s electronic PHI back in 2012. Apparently, hackers got access to the information through malware, which exposed the system to attacks.

During its investigation, OCR found ACMHS:

  • didn’t conduct thorough or accurate assessments of potential risks and vulnerabilities
  • lacked policies and procedures regarding PHI security, and
  • hadn’t updated its technical security measures since 2008.

The breach was likely a result of this last mistake. Since ACMHS hadn’t updated its electronic security, its firewalls were outdated, which likely allowed a virus to compromise the system and expose PHI.

To settle the OCR’s charges, ACMHS agreed to pay $150,000 and entered a two-year corrective action plan, which requires ACMHS to:

  • implement updated HIPAA Security Rule policies and procedures
  • develop and provide updated security awareness training annually
  • conduct annual risk assessments and document the security measures taken in response to potential facility risks, and
  • submit annual reports to OCR on its compliance with HIPAA and the corrective action plan.

Constant vigilance

As the ACMHS case shows, it’s worth the efforts to make sure your facility is addressing HIPAA compliance on a regular basis.

This is especially true given new cybersecurity threats, like Heartbleed and Shellshock, are constantly emerging. That means encryptions and firewalls can quickly become outdated and leave holes in your PHI security if you aren’t keeping up with updates and virus patches.

If your facility hasn’t done so yet, it also may be worthwhile to create a HIPAA compliance team. The purpose of this group would be to watch out for any emerging cybersecurity threats, ensure that HIPAA policies and procedures are being followed by other hospital employees and conduct regular risk assessments.

You’ll want to make sure your HIPAA team is documenting their actions, too.

There’s no guarantee your facility won’t experience a breach at some point. But showing you regularly update your electronic security measures and conduct thorough risk assessments can show your hospital takes PHI security seriously, which may lower penalties for violations.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.