by Forrest Campbell, Health Law Attorney, fcampbell@brookspierce.com
In December 2014, the U.S. Department of Health and Human Services ("HHS") and Anchorage Community Mental Health Services ("ACMHS") settled alleged HIPAA violations for $150,000.
Don't be misled--this settlement is not important just for parties subject to HIPAA. It's important to anyone who maintains confidential information in electronic form.
Here's what happened according to HHS. ACMHS failed to regularly update its IT resources with available patches, and ACMHS used outdated, unsupported software. As a direct result of these two factors, malware was able to compromise the security of ACMHS's IT system, resulting in a data breach of the protected health information of 2,743 individuals. As HIPAA requires, ACMHS notified HHS of the breach, and an HHS investigation followed. The investigation led to the settlement. The period from the start of the investigation to the signing of the settlement was 2 ½ years--which probably represents a lot of hours and money for ACMHS.
These events show how important security patches and software updates are for all parties with confidential electronic information. If you fail to diligently implement patches and updates--no matter what business line you're in--malware might infiltrate your IT system and cause a data breach. Data breaches often require notice to the individuals affected and to state and federal authorities, and often lead to investigations, lawsuits, and/or settlements.
Apparently, ACMHS could have avoided the entire matter if it had implemented proper patches and updates.
Although the lessons from these events are important across all industries, parties subject to HIPAA should recall that the HIPAA security rule essentially mandates that critical security patches and updates be implemented. For example, the security rule broadly requires that HIPAA covered entities and business associates must:
-
Ensure the confidentiality, integrity, and availability of all electronic PHI.
-
Protect against any reasonably anticipated threats or hazards to the security or integrity of PHI.
-
Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted or required under HIPAA.
HHS's Bulletin announcing and describing the settlement is located here:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/acmhsbulletin.pdf
The settlement is located here:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettlement.pdf
Forrest W. Campbell, Jr. practices in the Greensboro office of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP. His practice is dedicated to health care. You are welcome to contact him at 336.373.8850 or fcampbell@brookspierce.com.
Add a comment
Archives
- January 2022
- June 2021
- March 2020
- August 2019
- March 2019
- October 2018
- July 2016
- June 2016
- May 2016
- February 2016
- November 2015
- September 2015
- July 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- July 2014
- March 2014
- July 2013
- June 2013
- April 2013
- March 2013
- October 2012
- September 2012
- August 2012
- April 2012
- March 2012
- February 2012
- January 2012
- November 2011
- September 2011
- June 2011
- May 2011
- April 2011
- February 2011
- January 2011
- December 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2006
- February 2006
Recent Posts
- Rethinking Your Cyber Insurance Needs as Your Workplace Evolves
- Data Breach Defense for Educational Institutions
- COVID-19 and the Increased Cybersecurity Risk in a Work-From-Home World
- Like Incorporating Facebook into your Website? EU Decision Raises New Issues
- Lessons Learned: Key Takeaways for Every Business from the Capital One Data Breach
- Will Quick Talks to WRAL About Privacy Issues Related to Doorbell Cameras
- About Us
- Not in My House - California to Regulate IoT Device Security
- Ninth Circuit Says You’re Going to Jail for Visiting That Website without Permission
- Ninth Circuit Interprets “Without Authorization” under the Computer Fraud and Abuse Act
Topics
- Data Security
- Data Breach
- Privacy
- Defamation
- Public Records
- Cyberattack
- FCC Matters
- Reporters Privilege
- Political Advertising
- Newsroom Subpoenas
- Shield Laws
- Internet
- Miscellaneous
- Digital Media and Data Privacy Law
- Indecency
- First Amendment
- Anti-SLAPP Statutes
- Fair Report Privilege
- Prior Restraints
- Wiretapping
- Access to Courtrooms
- Education
- FOIA
- HIPAA
- Drone Law
- Access to Court Dockets
- Access to Search Warrants
- Intrusion
- First Amendment Retaliation
- Mobile Privacy
- Newsroom Search Warrants
- About This Blog
- Disclaimer
- Services