$150,000 HIPAA Resolution Agreement Emphasizes Importance of Updating, Patching IT Systems under the Security Rule

by Leonardo M. Tamburello

In a Resolution Agreement announced on December 8, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) made clear that the HIPAA Security Rule requires Covered Entities and their Business Associates who handle electronic protected health information (ePHI) to regularly patch and update their IT infrastructure.

This matter arose in March 2012 when OCR was notified by Anchorage Community Mental Health Services, Inc. (“ACMHS”) that due to a malware infection of its computer systems, a breach involving the unsecured ePHI of 2,743 individuals had occurred.

According to the Resolution Agreement, OCR’s subsequent investigation revealed that ACMHS failed to:  (1) conduct an accurate and thorough risk assessment of its IT infrastructure; (2) failed to implement policies and procedures requiring the implementation of security measures sufficient to reduce risks and vulnerabilities to its ePHI; and (3) failed to implement technical security measures to guard against unauthorized access to ePHI by failed to insure that firewalls were in place with “threat identification monitoring” of inbound and outbound internet traffic and that IT resources were adequately “supported and regularly updated with available patches.”

Under the terms of the Resolution Agreement, ACMHS will pay a $150,000 fine and adopt a corrective action plan designed to address deficiencies in its HIPAA compliance program.

This is the first explicit statement from OCR that the HIPAA Security Rule requires IT infrastructure to be “regularly updated with available patches.”   An unpatched vulnerability known as the “Heartbleed Bug” has been implicated in a breach reported earlier this year of 4.5 million health records from Community Health Systems which operates 206 hospitals in twenty-six states.

This should dispel any doubt that a thorough risk assessment and risk management plan should include an process by which hardware  (including firmware) and software are regularly patched updated to the latest versions that address known vulnerabilities which could be exploited and result in a breach.