A nonprofit health center in Colorado agreed to pay $400,000 to settle Health Insurance Portability and Accountability Act (HIPAA) security allegations after a hacker accessed employees’ e-mail accounts and obtained 3,200 individuals’ protected health information (PHI) in a phishing incident, the U.S. Department of Health and Human Services (HHS) announced April 12.
Metro Community Provider Network (MCPN) filed the required breach report with HHS in January 2012. On investigating, the HHS’ Office for Civil Rights (OCR) determined that MCPN had taken the necessary corrective action following the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012.
Specifically, before the incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities to its electronic PHI, and therefore had not implemented any corresponding risk management plans to address such risks, the OCR alleged. And when MCPN finally did start conducting risk analyses, they were insufficient to comply with HIPAA’s security rule.
The OCR suggested the $400,000 settlement amount could have been harsher, except that the agency took into account MCPN’s financial situation and its role in providing care to low-income patients in the Denver area.
Corrective Action Plan
The settlement also includes a detailed corrective action plan. MCPN has 30 days to submit, for HHS approval, a plan for conducting a HIPAA-compliant risk analysis. MCPN then must begin the risk analysis itself within 45 days after the HHS approves the plan, and complete it within a year after the settlement.
Based on the findings of the risk analysis, MCPN must develop and submit to the HHS a risk management plan that addresses the risks and vulnerabilities identified. Next, MCPN is to revise its HIPAA security policies, procedures, and training materials where needed to reflect the findings of the risk analysis and the implementation of the risk management plan.
The OCR officials and other experts have repeatedly stressed the need for a strong, organization-wide risk analysis as a foundation for establishing HIPAA-compliant safeguards and warding off data breaches and liability exposure.