Denver-Based Metro Community Agrees $400,000 HIPAA Penalty

Metro Community Provider Network (MCPN), a Denver, CO-based federally-qualified health center (FQHC), has agreed to pay OCR $400,000 and implement a stringent corrective action plan to resolve all HIPAA compliance issues found during an OCR investigation into a a data breach that occurred in 2011.

The incident that lead to the OCR investigation was a phishing attack that happened on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which allowed that person that to gain access to employees’ email accounts. Those accounts stored the electronic protected health information of 3,200 patients.

OCR looks into all data breaches involving more than 500 patient records to determine whether healthcare organizations have experienced a violation as a direct result of violations of HIPAA Rules. OCR did find that MCPN took the necessary steps following the breach to stop additional phishing attacks infiltrating their systems; however, OCR investigators identified multiple violations of HIPAA Rules.

Phishing attacks on healthcare groups are to be expected and it would be unreasonable to expect healthcare groups to be able to minimize the risk of a successful phishing attack to zero. However, HIPAA-covered organizations must take steps to identify potential weaknesses and to take action to lessen risks to an appropriate level.

One of the most important elements of the HIPAA Security Rule is the risk analysis. The aim of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not completed, HIPAA-covered organizations will not be able to deduce with any degree of certainty whether all risks have been found. Appropriate security measures to reduce those risks to acceptable levels would therefore be unlikely to be put in place.

While OCR confirmed that MCPN had completed a risk analysis, it had not been finished until mid-February 2012, more than two months after the phishing attack had happened. Furthermore, that risk analysis and all later risk analyses performed by MCPN did not match the minimum requirements of the HIPAA Security Rule.

The absence of a risk analysis meant MCPN did not identify all risks and weaknesses to the confidentiality, integrity, and availability of ePHI that the group held. MCPN also failed to put in place a risk management plan to address risks identified in the risk analysis.

OCR also ruled that MCPN had failed to adopt appropriate security policies to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been adopted.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial stanfing to ensure MCPN could maintain adequate funding to continue to provide ongoing patient care. The HIPAA settlement could have been considerably larger.

Author: Maria Perez