Share this e-Alert:

Polsinelli - Health Care Polsinelli - Health Care


December 2014


Failure to Follow HIPAA Policies Results in $150,000 Liability and Corrective Action Plan







For more information about this e-Alert, please contact:


Erin Fleming Dunlap




Rebecca Frigy Romine




Health Care Practice Leaders:


Matthew J. Murer

Practice Area Chair



Jane E. Arnold

Practice Area Vice Chair



Colleen M. Faddick

Practice Area Vice Chair



To learn more about our Health Care practice, or to contact one of our Health Care attorneys, click here.


View Polsinelli documents on JD Supra  


LinkedIn Twitter Facebook Inside Law Podcast Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook.

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR) has recently released information about another HIPAA settlement, emphasizing yet again the government's focus on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement underscores that organizations cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice.

On December 8, 2014, HHS-OCR issued a bulletin stating that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services in Anchorage, Alaska, agreed to settle potential violations of the HIPAA Security Rule. HHS-OCR opened an investigation upon receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS' information technology (IT) resources and affected 2,743 individuals. During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed. Significantly, ACMHS may have avoided the breach (and would not be subject to the HHS-OCR settlement agreement) if it had followed the policies and procedures it adopted and regularly updated its IT resources with available patches.

The settlement agreement requires ACMHS to pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The Resolution Agreement can be found on the OCR website.

The settlement with ACMHS is just one of a handful of recent settlements arising from an HHS-OCR investigation prompted by an organization self-reporting a breach of unsecured ePHI; however, HHS-OCR may also examine an organization's HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. In every instance, HHS-OCR will expect an organization to have fully implemented its HIPAA compliance program and/or policies and procedures.

According to HHS-OCR, compliance with the HIPAA Security Rule requires organizations (among other things) to address risks to ePHI on a regular basis and to review systems for vulnerabilities and unsupported software. Organizations cannot simply adopt HIPAA policies and procedures and then place those documents on a shelf. HIPAA compliance programs must be dynamic and reviewed and updated on a regular basis to reflect changes within the organization, including discovered vulnerabilities and ever-evolving external threats. Threats to ePHI are real and can have a devastating impact on a business – and patients' privacy. All organizations subject to HIPAA, regardless of size, must devote the necessary resources to protect the organization's data from these threats.

For More Information

If you have questions or concerns about this alert, please reach out to a member of Polsinelli's Health Care practice or the authors of this alert:














Atlanta  Chattanooga  Chicago  Dallas  Denver  Edwardsville  Jefferson City  Kansas City  Los Angeles  New York
Overland Park  Phoenix  St. Joseph  St. Louis  San Francisco  Springfield  Topeka  Washington, D.C.  Wilmington








real challenges. real answers.SM  
Polsinelli is a first generation Am Law 100 firm serving corporations, institutions, entrepreneurs and individuals nationally. Our attorneys successfully build enduring client relationships by providing practical legal counsel infused with business insight, and with a passion for assisting General Counsel and CEOs in achieving their objectives. Polsinelli is ranked 18th in number of U.S. partners* and has more than 740 attorneys in 19 offices. Profiled by The American Lawyer and ranked as the fastest growing U.S. law firm over a six-year period**, the firm focuses on healthcare, financial services, real estate, life sciences and technology, energy and business litigation, and has depth of experience in 100 service areas and 70 industries. The firm can be found online at Polsinelli PC. In California, Polsinelli LLP.

* Law360, March 2014
** The American Lawyer 2013 and 2014 reports







Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.

Copyright © 2014 Polsinelli PC.

Connect with us on LinkedIn. Connection with us on Twitter. Connect with us on Facebook. Polsinelli