The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced another Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement. This one is with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) that provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.
The terms of the settlement require MCPN to pay $400,000 and implement a Corrective Action Plan, which is a standard arrangement often used in these types of settlements. The fine, however, is not so standard. In this matter, MCPN had suffered a breach on January 27, 2012, and filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ electronic protected health information (ePHI) through a phishing incident. OCR determined that MCPN took necessary corrective action related to the phishing incident but that MCPN failed to conduct a timely risk analysis. MCPN’s risk analysis was not performed until Mid-February 2012, nearly a month after the breach was discovered.
Not only did OCR take issue with MCPN’s post-breach conduct, but OCR also determined that prior to the breach, MCPN had not conducted a risk analysis to fully understand and assess the risks and vulnerabilities in its ePHI environment. Not surprisingly, due to the failure to properly understand and access its vulnerabilities, MCPN had also failed to implement any corresponding risk management plans to address the risks and vulnerabilities that would have been identified in a risk analysis. Ultimately, OCR took issue with MCPN’s lack of a security management process to safeguard ePHI. When MCPN eventually performed a risk analysis, that risk analysis, as well as all subsequent risk analyses, were not sufficient to meet the requirements of the Security Rule.
MCPN’s status as a FQHC was considered in the OCR’s balancing of the weight of the violation with MCPN’s ability to maintain sufficient ongoing financial stability so it could ensure the provision of ongoing patient care. The OCR was clear that patients must be able to trust that their healthcare providers will safeguard and protect their private health information.
This settlement demonstrates OCR’s continued focus on ensuring healthcare organizations are HIPAA Security Rule complaint. All organizations handling ePHI must ensure they properly access their risks and vulnerabilities in advance of a breach and conduct a timely risk analysis in the event of a breach. The consequences of violators of the rule can be significant in that they can result in a loss of patient privacy, brand reputation, heavy monetary fines, and increased administrative scrutiny.
There are five security components to a risk management initiative: (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) organizational standards; and (5) policies and procedures. Healthcare providers subject to HIPAA’s Security Rule that have ePHI should consider taking the following steps that utilize all five security components to ensure compliance and proper protection of patient ePHI:
1. Define your culture as one where patient privacy and regulatory compliance with HIPAA/HITECH is of upmost concern and value.
2. Document your processes, findings, and actions as you put in place a privacy initiative to further drive the value of privacy and the company’s commitment to it.
3. Review existing security of ePHI and perform a risk analysis to determine corporate risks and vulnerabilities.
4. Develop and action plan that includes policies, procedures, and employee training to ensure a 360 approach to privacy protection and regulatory compliance.
5. Manage and mitigate risks identified in the initial risk analysis to tighten security and protect against risk and vulnerabilities.
6. Monitor, audit, and update security on an ongoing basis. Technology and hacker intrusion methods are ever changing. As such, it is imperative that companies continually stay apprised of technological developments and hacker intrusion methods and schemes and implement security initiatives to utilize technological privacy protections and further secure against security/breach incidents.
Sara Jodka (Of Counsel) may be reached in our Columbus office at 614-744-2943.