If you are a healthcare provider, health insurance plan, or an organization that has access to and uses their patient or subscriber information to perform certain services for them, and you are still using Windows XP and XP-vintage antivirus software to protect your information and believe you are in compliance with HIPAA, the Office for Civil Rights, which enforces HIPAA, would like to correct your misapprehension.
On December 8, 2014, the Office of Civil Rights settled a penalty proceeding with Anchorage Community Mental Health Services (“ACMHS”), a nonprofit mental-health care provider, following a breach of unsecured (unencrypted) Protected Health Information (“PHI”) of 2,743 individuals. The investigation, started by a self-report by ACMHS, revealed that ACMHS did not monitor for malware and was using outdated software. In addition, OCR found that AMCHS did not follow its own security policies, which had not been updated since they were originally drafted in 2005, and that ACMHS had not conducted a Risk Assessment since the effective date of the HIPAA Security Rule. ACMHS agreed to settle with OCR for $150,000 and to implement a Corrective Action Plan, the legal and consultant costs of which will probably equal or exceed the amount of the settlement. Jocelyn Samuels, Director of the Office for Civil Rights, commenting on the settlement, stated in the OCR Press Release (available here) that “successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
This is one of the first HIPAA proceedings based upon claims for failure to maintain up-to-date software, including security patches, and failure to monitor for malware. In this era in which breaches seem to occur almost weekly, it certainly won’t be the last. If you have questions about your organizations compliance with the requirements of HIPAA, please contact Kenneth N. Rashbaum.