The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently entered a $400,000 Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC). The settlement serves as a stark reminder that all covered entities, including FQHCs, must meet the HIPAA Security Rule requirements and that OCR is continuing to step up enforcement efforts in this area.
MCPN provides primary medical care, pharmacies, social work, dental care and behavioral health care services throughout Denver, Colorado, to approximately 43,000 patients per year. The settlement at issue arose from a phishing incident in which a hacker accessed employees’ email accounts. As part of the incident, the hacker obtained electronic protected health information (ePHI) on 3,200 individuals. MCPN discovered the incident on December 5, 2011 and filed a breach report with OCR on January 27, 2012. Several weeks after filing the breach report, MCPN decided to conduct a risk analysis.
OCR began its investigation in April 2012 and determined that MCPN failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by MCPN. Because MCPN had not conducted the requisite risk analysis, it also had not implemented a risk management plan to address the risks and vulnerabilities. OCR further determined that when MCPN did conduct the post-breach risk analysis, the risk analysis was insufficient to meet the requirements of the HIPAA Security Rule. The HHS Press Release as well as the Resolution Agreement and Corrective Action Plan may be found here.
HHS has published guidance on the HIPAA Security Rule, including tools to assist in the risk analysis and the risk management process. It is important that all FQHCs understand the Security Rule requirements and implement an effective security management process.
Written by: Jacob Simpson