On April 12, 2017, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Metro Community Provider Network (MCPN) agreed to pay HHS $400,000 to settle alleged HIPAA Security Rule noncompliance issues. The settlement arose after a phishing incident led to the disclosure of 3,200 individuals’ protected health information (PHI).
MCPN is a federal qualified health center (FQHC) in the Denver, Colorado metropolitan area that provides services – primary medical care, dental care, pharmacy, social work, and behavioral health care services – to approximately 43,000 individuals annually, the majority of whom have incomes at or below the federal poverty level.
In January 2012, MCPN filed a breach report with OCR stating that a hacker accessed MCPN employees’ email accounts and obtained the PHI of approximately 3,200 individuals. OCR’s subsequent investigation revealed that prior to the phishing incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities to its electronic PHI (ePHI), and therefore had not implemented a risk management plan to address the risks and vulnerabilities that would have been identified in the risk analysis. Moreover, OCR concluded that when MCPN ultimately did perform a risk analysis (and subsequent risk analyses), those analyses were insufficient to meet the requirements of the HIPAA Security Rule.
As part of the three-year Corrective Action Plan (CAP) between HHS and MCPN, MCPN agreed to perform each of the following:
conduct a HIPAA Security Rule risk analysis that includes all of its current facilities and electronic equipment, data systems and applications controlled, currently administered or owned by MCPN, that contain, store, transmit or receive ePHI;
develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified from the HIPAA Security Rule risk analysis;
review and revise its Security Rule policies and procedures based upon the risk analysis findings and the implementation of the risk management plan; and
review and revise its HIPAA Security Rule training materials based upon the risk analysis and risk management plan.
MCPN also agreed as part of the CAP to provide an initial implementation report once its updated training materials are approved by HHS, and thereafter submit annual compliance reports for the duration of the CAP. The Resolution Agreement and CAP may be found on the OCR website.
In its press release announcing the settlement, OCR alluded that the $400,000 fine could have been larger if MCPN were not an FQHC and that OCR balanced the severity of the non-compliance with the important services MCPN provides to a vulnerable population.
OCR has continued to shift its focus and enforcement activities to the HIPAA Security Rule (as opposed to the Privacy Rule). All covered entities and business associates should review the Security Rule compliance standards and ensure ongoing compliance. The Security Rule has “required” and “addressable” standards. “Required” means the covered entity must implement the specification. “Addressable” means the covered entity must assess whether the implementation specification is a “reasonable and appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting [ePHI]” and then either implement the specification or, if the specification is determined not reasonable and appropriate, (i) document why it would not be reasonable and appropriate to implement; and (ii) implement an equivalent alternative measure if reasonable and appropriate.
Phishing incidents are only one example of the ongoing challenges for covered entities and business associates with respect to protecting ePHI. Moreover, once a breach incident is reported to OCR, the follow up investigation can be prolonged, arduous, invasive and costly. Preventive and ongoing compliance is highly recommended.