Health Law Daily Breach investigation uncovers lack of risk assessment
Thursday, April 13, 2017

Breach investigation uncovers lack of risk assessment

A federally qualified health center (FQHC) entered into a resolution agreement and a corrective action plan (CAP) with the HHS Office for Civil Rights (OCR) as a result of its failure to conduct a timely and effective risk analysis pursuant to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191Security Rule. Metro Community Provider Network (MCPN) agreed to pay $400,000 to resolve allegations that it did not comply with the Rule’s requirements, which may have led to a hacking incident that compromised the electronic protected health information (ePHI) of 3,200 individuals. The CAP is effective for three years (Resolution Agreement, April 7, 2017).

MCPN serves patients in the greater Denver, Colorado metropolitan area, many of whom have incomes at or below the poverty level. It provides primary medical care, dental care, pharmacies, social work, and behavioral health care services. On December 5, 2011, MCPN became aware that a hacker accessed employee email accounts as part of a phishing scam and "obtained" the individuals’ ePHI. It notified the OCR of the breach in a timely manner on January 27, 2012.

The Security Rule requires HIPAA covered entities (CEs) and business associates (BAs) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, or availability of the ePHI they maintain and then implement measures sufficient to reduce those identified risks and vulnerabilities (45 C.F.R. Sec. 164.308(a)(1)). The OCR’s investigation revealed that MCPN failed to conduct a risk analysis prior to the incident. Although it conducted an analysis in February 2012, along with subsequent analyses, they all failed to meet Security Rule requirements.

The OCR balanced MCPN’s status as an FQHC and its service to low-income patients with the significance of the violation before arriving at the $400,000 figure. Pursuant to the CAP, MCPN must conduct a risk analysis and review it at least annually, develop and implement a risk management plan, review and revise policies and procedures, review and revise training materials, notify the OCR of any reportable events, submit implementation and annual reports, and retain documents associated with the CAP for six years. Should MCPN breach the CAP, it could be subject to civil monetary penalties (CMPs).

Companies: Metro Community Provider Network

MainStory: TopStory CMPNews ConfidentialityNews CyberPrivacyFeed HITNews HIPAANews RiskNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More