Dive Brief:

• Anchorage Community Mental Health Services in Alaska has agreed to pay a five-figure fine and improve its HIPAA compliance program after an investigation by HHS found the group failed to appropriately safeguard patient data.
• A five-facility mental health organization will pay $150,000 to HHS to settle potential HIPAA violations after the organization failed to patch their systems and continued to run outdated, unsupported software that eventually led to a malware data breach affecting 2,743 individuals. ACMHS reported the breach to HHS in March 2012.
• Following the investigation by HHS' Office for Civil Rights, officials discovered ACMHS had adopted HIPAA security policies and procedures, but they were not followed by the organization's employees for a seven-year period, from 2005 to 2012. The data breach of electronic protected health information resulted after ACMHS failed to "identify and address basic risks," OCR officials wrote in a settlement bulletin. Specifically, the organization neglected to update IT resources with system patches and updated software. 

Dive Insight:

Data breaches cost healthcare organizations billions of dollars, and protecting health information is now a big business. What made this case particularly important—beyond being a run-of-the-mill data breach incident—is that something as seemingly small as out-of-date IT led to HHS' declaration of "breach" for the Alaska organization.

As the report noted, nearly 41.5 million people have had their protected health information compromised in a reportable HIPAA privacy or security breach. 

It just goes to show that crafting a HIPAA security policy is one thing—but following it is quite another (and far more important).