Mental Health Organizations Not Immune from HIPAA Fines

One of the most recent large HIPAA fines was placed upon a behavioral health organization just this month—Anchorage Community Mental Health Services.

BULLETIN: HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software

Anchorage Community Mental Health Services (ACMHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.

The problem: the organization reported a breach that affected over 2700 individuals. They had completed a risk assessment and developed policies in 2005; they had done almost nothing else since then.

OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources. OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

I read this and started wondering how many of our customers might be in the same boat. They went through the motions of taking a course on HIPAA security and privacy, adopted some sample policies that the trainer shared, and put it all in a file cabinet. You might be surprised to hear this, but that is not HIPAA compliance.

If some nightmare occurs, you experience a data breach and have to report to OCR, will they find the same thing in your organization? Are you still using unsupported software that is no longer updated for security by the manufacturer (like Windows XP)? Have you provided training on your policies and procedures to that new receptionist you hired? If you are a staff person reading this article, have you been trained on your organization’s HIPAA policies and procedures? Do you know what PHI is and what the consequences can be if that information is seen by someone else without their permission?

If you would like to share some of the things you and your organization have done to make sure that the information with which your clients have entrusted you is secure, please do so below. If you know you have not done enough, please read about doing a Security Risk Assessment and start remediating your situation. I cannot tell you how much we would hate to lose a customer who had to close up shop because of a large fine they could not pay. I know it could never happen to you. . .but just in case. . . .


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.