Yesterday, the Department of Health and Human Services Office for Civil Rights (OCR) announced its HIPAA settlement with a Colorado federally qualified health center (FQHC) for failure to conduct risk analysis to assess the risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI). The FQHC (Metro Community Provider Network) agreed to pay $400,000 and implement a corrective action plan.
The investigation arose from MCPN’s January 2012 report of a phishing incident that allowed a hacker to obtain ePHI of 3,200 individuals by accessing employee email accounts. OCR determined that MCPN failed to conduct risk analysis prior to the incident and therefore failed to implement risk management plans to address risks and vulnerabilities. In addition, OCR found that even subsequent risk analyses failed to satisfy Security Rule requirements.
In its press release OCR stated that it considered MCPN’s FQHC status and its financial standing in determining the settlement amount. OCR also noted that MCPN took appropriate corrective action after discovering the phishing incident. These comments suggest that the settlement amount could have been much higher if not for these factors.
This is another in a long line of HIPAA settlements based on lack of adequate risk analysis, and serves as a reminder of the importance of risk analysis in protecting the privacy and security of PHI and complying with the HIPAA Rules.
The press release, resolution agreement and protective action plan are available here.