Earlier this month, the Office for Civil Rights issued its first HIPAA compliance fine under their new director Jocelyn Samuels. The Experian Data Breach Industry Forecast reports that come 2015 the medical industry will be 'plagued' by cybercriminals out to steal health care data. The potential cost of these breaches could reach up to $5.6 billion annually. Unfortunately for the Anchorage Community Mental Health Services (ACMHS), they learned all of this the hard way.
A breech caused by Malware put the ePHI of 2,700 patients at risk and resulted in the highest HIPAA noncompliance fine this year. The subsequent investigation discovered that;
- From April 2005 until March 2012, ACMHS did not perform an accurate and thorough noncompliance assessment of their current HIPAA compliance plan. These assessments are required under 45 C.F.R. 164.308(a)(1)(ii)(A) of HIPAA and are needed to assess the possible risks and integrity of the current plan.
- During that same time period, the company failed to implement sufficient security measures required to reduce risks and vulnerabilities to ePHI. This is required under section 45 C.F.R. 164.308(a)(1)(ii)(B) of HIPAA.
- And finally, January 2008 until March 2012 the company did not implement security measures to prevent the unauthorized access of ePHI transmitted over an electronic network as required by section 45 C.F.R. 164.312(e) of the HIPAA.
ACMHS admitted their fault and agreed to pay the record setting noncompliance fine of approximately $150,000. In addition, they agreed to take on a new compliance plan and perform regular updates and assessments while being monitored by the OCR.
The OCR reported that the breech was a direct result of the company failing to keep their software and procedures up to date. Additionally, the breech could have been avoided had ACMHS conducted regular risk assessments like they are required to according to HIPAA. This is a reminder to companies that no matter how well-planned and practiced your current compliance plan and procedures are, pushing them to the background and failing to conduct regular assessments and updates can still result in a hefty fine.
If you need help keeping your compliance documentation up to date, Allpoint Compliance would be happy to help. The myCompliance Portal tool is the perfect fit to help you stay on track. Feel free to contact us with any questions or concerns you may have.