Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between the Office of Civil Rights (OCR) and a Federally Qualified Health Clinic (FQHC). The FQHC filed a breach report upon learning its employee emails had been hacked and the hacker had access to electronic health information of over 3,000 patients. The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis. Furthermore, the provider failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks. Even when the provider conducted a risk analysis, OCR found the analysis to be insufficient to meet HIPAA security standards.
Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs.
Lesson 2 – OCR considered that the provider was an FQHC and still imposed a $400,000 settlement amount.
Lesson 3 – Do not overlook the HIPAA security rules.
