What's a HIPAA Resolution Agreement and what does it mean to you?

HIPAA Resolution Agreements and Civil Money Penalties

A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (for example- staff training) and make reports to HHS, generally for a period of three years. It’s normally the result of an OCR investigation that has uncovered some HIPAA security deficiency or PHI exposure. During that period, HHS monitors the covered entity’s compliance with its obligations.  It also usually includes the payment of a resolution amount.  These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. 

Alan Davis, of Proteus Consulting LLC recently highlighted the case of Anchorage Community Mental Health Services and their $150K penalty for lax security enforcement.  HHS determined that the agency’s un-patched computer systems accounted for a breach affecting over 2,700 patient records.  Essentially, ACMHS allowed their systems to fall behind on software updates and patch management which allowed malware to infiltrate their network and steal confidential patient information.

According to the HHS web site:  “ACMHS will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. ACMHS is a five-facility, nonprofit organization providing behavioral health care services to children, adults, and families in Anchorage, Alaska.”  HHS will now keep an eye on that organization for the next 3 years to make sure they stay in compliance.

What does it all mean?  If you're a HIPAA regulated organization and you don't have a full-time tech support presence on premises making sure that your computers, servers and networks always up to date you run the real risk of PHI exposure and not even know it.  Malware is an ever growing threat to your security and it could cost you BIG TIME if you don't make sure your systems are consistently patched.  An IT support organization that specializes in HIPAA regulated clients will be aware of your compliance obligations and provide the update services you need in a timely fashion.  The old days of patching computers once a month are long gone.  Patch updates need to be applied at least weekly if not more frequently.  If you don't have the funds for an experienced in-house tech, make sure your IT support company performs patch maintenance for your server operating system AND all supporting programs like browser add-ons, SQL data base updates and all of the rest and document the process.

Jeff Hoffman is an IT Security Consultant at ACT Network Solutions and the author of "Intruders At The Gate - Building an Effective Malware Defense System".  He can be reached at jhoffman@act4networks.com