Recently, the Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with Anchorage Community Mental Health Services (ACMHS), a non-profit behavioral health services provider in Anchorage, Alaska. The settlement resulted from OCR’s investigation into potential violations of HIPAA’s security requirements after malware installed on a computer in one of ACMHS’s five facilities led to a data breach affecting more than 2,500 patients. OCR’s investigation revealed that the security lapse was due to ACMHS’s failing to “identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”
Under the settlement, ACMHS will pay $150,000 and adopt a Corrective Action Plan to address deficiencies in its HIPAA compliance program. ACMHS will also be required to make regular reports to OCR on the status of its HIPAA compliance for a two-year period.
This story highlights the fact that compliance impacts every facet of an organization. In the execution of day-to-day tasks—often in fast-paced and high-pressure environments—it is easy for employees to lose sight of the crucial role they play in supporting an organization’s obligations to meet legal requirements. Too often, it’s not until a costly violation that employees are reminded of how something as simple as ensuring computer software is kept up to date can have far-reaching impacts across the company.
Fortunately, a compliance training program that centers on promoting a culture of compliance can go a long way to empowering employees to avoid “basic risks” like the ones that led to the breach of ACMHS’s data. Relevant messaging, routine reinforcement, and adoption of a “compliance mentality” across all levels of an organization are key to building and maintaining a culture that embraces compliance as a strategic part of doing business.
Charlie Voelker, Esq. is the Legal Compliance Solution Manager at Skillsoft.