HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Dec
16

OCR fines behavioral health service $150,000

Email This Post Print This Post

DollarSignsThe Office for Civil Rights (OCR) announced December 8 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations, according to a press release.

OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service. On March 12, 2012, ACMHS notified OCR of a breach affecting 2,743 individuals. The breach was the result of malware that compromised the security systems of the behavioral healthcare provider, according to OCR.

The resolution agreement states that ACMHS failed to:

  • Conduct an accurate and thorough risk assessment of ePHI from April 21, 2005, through March 12, 2012
  • Implement security policies and procedures to reduce risks and vulnerabilities to ePHI from April 21, 2005, through March 12, 2012
  • Implement technical security measures to safeguard against unauthorized access to ePHI by failing to ensure firewalls were in place and that information technology resources were supported and updated with patches from January 1, 2008, through March 29, 2012

In addition to the monetary settlement, as part of the corrective action plan with OCR, ACMHS agreed to:

  • Provide an updated version of its security policies and procedures
  • Adopt a revised version of OCR-approved security policies and procedures
  • Distribute revised security policies and procedures to workforce members who work with ePHI and provide security awareness training
  • Obtain signed written or electronic initial compliance certification from all workforce members stating that they read, understand, and will abide by security policies and procedures

Leave a Reply