Yesterday, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that a $400,000 settlement had been agreed with Metro Community Provider Network (MCPN) to resolve potential security management process HIPAA violations.
The Denver, CO-based federally-qualified health center (FQHC) experienced a phishing attack in December 2011 that resulted in unauthorized access to the email accounts of employees. The incident was reported to OCR as access to the email accounts allowed the attacker to view the protected health information of patients. In total, 3,200 patients were impacted by the incident and had their sensitive information exposed.
OCR conducted an investigation into the breach which revealed a number of security management process HIPAA violations had occurred. The response to the phishing attack was appropriate, but prior to the breach, MCPN had failed to conduct a risk analysis as required by the HIPAA Security Rule. The first risk analysis conducted by MCPN was in February 2012, well outside the deadline for compliance with the HIPAA Security Rule.
A risk analysis is one of the most important requirements of the HIPAA Security Rule. HIPAA-covered entities must conduct regular, HIPAA-compliant risk analyses to identify risks and vulnerabilities that could be exploited by malicious actors to gain access to electronic protected health information.
The risk analysis should identify those risks and vulnerabilities, and as part of the security management process, covered entities must mitigate those risks. However, OCR found that MCPN had done neither. Furthermore, the risk analysis that was conducted in February 2012 was not up to the standards demanded by the HIPAA Security Rule, and neither were all subsequent risk analyses conducted by MCPN.
Risk management plans had not been implemented to address risks to the confidentiality, integrity, and availability of ePHI and reduce them to an appropriate level and policies and procedures were not developed to allow MCPN to prevent, detect, contain and correct security violations.
The severity of the security management process HIPAA violations was deemed to warrant a financial penalty rather than technical assistance.
For each violation category of HIPAA Rules, OCR can fine HIPAA-covered entities up to $1.5 million per calendar year that the violations persisted. The risk analysis failures alone – which spanned five years – could have seen OCR fine MCPN several million dollars; however, OCR took the financial position of MCPN into account when calculating an appropriate settlement amount. In order to allow MCPN to continue to provide care for patients, a HIPAA penalty of $400,000 was deemed appropriate.
In addition to the financial penalty, MCPN has agreed to a corrective action plan to address all HIPAA compliance issues discovered by OCR investigators.