[BreachExchange] Feds fine a community health network for HIPAA violations

[Audrey McNeil]

https://www.healthdatamanagement.com/news/feds-fine-a-community-health-
network-for-hipaa-violations

Failure to conduct a risk analysis and develop a risk management plan as
required under the HIPAA privacy and security rules has landed a provider
organization in trouble with the HHS Office for Civil Rights, leading to a
$400,000 fine and imposition of a three-year corrective action plan.

Metro Community Provider Network is a large federally qualified health
center with 21 clinics serving 43,000 primarily poor patients in five
counties throughout the Denver region. Its services include primary care,
dental, pharmacy, social work and behavioral health.

In January 2012, MCPN notified OCR that a hacker accessed employees’ email
accounts via a phishing attack and obtained electronic protected health
information on 3,200 individuals. “OCR’s investigation revealed that MCPN
took necessary corrective action related to the phishing incident; however,
the investigation also revealed that MCPN failed to conduct a risk analysis
until mid-February 2012,” the agency contends in a statement.

When MCPN finally conducted a risk analysis, it and subsequent risk
analyses were not sufficient to meet HIPAA security rule requirements,
according to OCR.

OCR has now levied major sanctions against nearly 50 HIPAA covered
entities. However, starting in 2016, OCR has ramped up HIPAA enforcement
actions and is levying considerably higher fines, focusing on covered
entities’ need to have viable risk assessment programs in place. Fines
levied against providers in 2016 and 2017 have ranged from $2.14 million to
$5.55 million.

However, in the announcement of sanctions against Metro Community Provider
Network, OCR appeared to give the organization a financial break because of
the nature of the work it does. “With this settlement amount, OCR
considered MCPN’s status as a federally qualified health center when
balancing the significance of the violation with MCPN’s ability to maintain
sufficient financial standing to ensure the provision of ongoing care.”

In response to a request for comment, Metro Community Provider Network
issued the following statement:

“In 2011, Metro Community Provider Network (MCPN) had a phishing incident
which was reported to Health and Human Services and the Office for Civil
Rights. Since that time, the organization has worked with these entities to
assure HIPAA compliance, including reaching an agreed upon settlement of
$400,000. MCPN is pleased with the work that has been done and continues to
assure that patient privacy is protected.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170418/52654d7e/attachment.html>