Another HIPAA settlement for lack of risk analysis

Blog Post

Yesterday, the Department of Health and Human Services Office for Civil Rights (OCR) announced its HIPAA settlement with a Colorado federally qualified health center (FQHC) for failure to conduct risk analysis to assess the risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI).  The FQHC (Metro Community Provider Network) agreed to pay $400,000 and implement a corrective action plan.

The investigation arose from MCPN’s January 2012 report of a phishing incident that allowed a hacker to obtain ePHI of 3,200 individuals by accessing employee email accounts. OCR determined that MCPN failed to conduct risk analysis prior to the incident and therefore failed to implement risk management plans to address risks and vulnerabilities. In addition, OCR found that even subsequent risk analyses failed to satisfy Security Rule requirements.

In its press release OCR stated that it considered MCPN’s FQHC status and its financial standing in determining the settlement amount.  OCR also noted that MCPN took appropriate corrective action after discovering the phishing incident.  These comments suggest that the settlement amount could have been much higher if not for these factors.  

This is another in a long line of HIPAA settlements based on lack of adequate risk analysis, and serves as a reminder of the importance of risk analysis in protecting the privacy and security of PHI and complying with the HIPAA Rules. 

The press release, resolution agreement and protective action plan are available here.
Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.