While Anthem, the second largest health insurer in the U.S., is grabbing most of the headlines with their massive data breach, there are scores of smaller organizations that are paying the price for violating HIPAA compliance regulations. Anchorage Community Mental Health Centers (ACMHS), a five-facility mental health organization, has agreed to a $150,000 fine and adopt corrective actions after an investigation by the Office of Civil Rights (OCR) showed that the organization failed to safeguard patient data appropriately. In the case of ACMHS, vigilant systems monitoring, combined with adhering to regular software maintenance and patching program, may have prevented them from falling out of compliance.
Compliance and the HIPAA Security Rule
The HIPAA Security Rule requires entities who handle electronic protected health information (ePHI) to regularly patch systems and update their IT infrastructure. During an investigation, OCR officials discovered ACMHS had adopted HIPAA security policies and procedures several years ago. However, the organization failed to follow them during a seven-year period, from 2005 – 2012. ACMHS also neglected to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals.
“Successful HIPAA compliance requires a common sense approach”
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks of ePHI (electronic protected health information) on a regular basis,” said OCR Director Jocelyn Samuels, in a bulletin issued by OCR. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
It’s important to note that ACMHS first notified OCR of the breach and has cooperated throughout its investigation. In addition to the $150,000 settlement amount, ACMHS has agreed to adopt a corrective action plan that requires it to report on its state of compliance for a two-year period.
HIPAA compliance reviews and assessments
In our recent blog post, 3 Security Questions to Ask Your Cloud Provider, we encourage our readers to ask potential cloud providers tough questions to ascertain whether or not they have the proper processes, procedures and certifications in place to ensure sensitive data such as ePHI is secure and available at all times, regardless of circumstances. Many cloud companies that claim to be “HIPAA compliant” aren’t that at all. In fact, they may be unfamiliar with HIPAA compliance regulations as well as the importance of engaging in a Business Associate Agreement (BAA).
Organizations that need to adhere to compliance regulations issues by HIPAA/HITECH, PCI DSS and so forth should also ask a potential cloud provider for their certifications in those areas. As a leading compliant hosting provider, HOSTING undergoes annual risk assessments and compliance reviews from three separate assessors to maintain a solid compliance posture against HIPAA/HITECH, PCI DSS and SOX regulations.
The HOSTING Healthcare Cloud™
Concerned about compliance? The HOSTING team of certified information security and compliance experts has participated in more than 400 customer audits to date. We also offer the HOSTING Healthcare Cloud™ – a hybrid cloud solution with multiple security layers that are specifically designed to protect electronic medical records (EMR) and electronic protected healthcare information (ePHI). While other compliance cloud offerings stop at security, the HOSTING Healthcare Cloud™ ensures that data remains accessible to authorized healthcare providers 24 x 7 x 365 – regardless of circumstances. Contact us today to learn how we can help you with your specific compliance needs.