Under the terms of a resolution agreement, Anchorage Community Mental Health Services (“ACMHS”) had to pay $150,000 as a civil money penalty settlement and integrate a corrective action plan (“CAP”) after a cyberattack had compromised more than 2,700 individuals’ electronic protected health information (“EPHI”).

Section 164.308(a)(8) requires entities who maintain or transmit EPHI to perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart (The Security Rule).

Although ACMHS had adopted Security Rule policies and procedures in 2005, those policies and procedures were never followed. This lack of patching of IT security systems allowed malware to breach the medical organization’s systems and prompted the settlement. ACMHS had neither updated its system nor followed its own policies. This civil money penalty situation highlights that having a policy is not enough—that is, you have to follow it and sanction workforce members who don’t, whether the failure to follow the policy is neglect or something worse.

As I always say, “You can’t just get in compliance—you have to stay in compliance.” Specifically, do not neglect to perform an initial risk analysis, update it regularly, adopt and implement and enforce reasonable and appropriate security measures, including policies and procedures based on your risk analysis, train all of your workforce on HIPAA and all of those policies and procedures, and keep written documentation of all of your HIPAA compliance efforts for at least the six-year retention period required under HIPAA.

See the Resolution Agreement at http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettlement.pdf.