Failure to conduct a risk analysis and develop a risk management plan as required under the HIPAA privacy and security rules has landed a provider organization in trouble with the HHS Office for Civil Rights, leading to a $400,000 fine and imposition of a three-year corrective action plan.

Metro Community Provider Network is a large federally qualified health center with 21 clinics serving 43,000 primarily poor patients in five counties throughout the Denver region. Its services include primary care, dental, pharmacy, social work and behavioral health.

In January 2012, MCPN notified OCR that a hacker accessed employees’ email accounts via a phishing attack and obtained electronic protected health information on 3,200 individuals. “OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012,” the agency contends in a statement.

When MCPN finally conducted a risk analysis, it and subsequent risk analyses were not sufficient to meet HIPAA security rule requirements, according to OCR.

Also See: OCR rocks Memorial Healthcare System with $5.5 million fine

OCR has now levied major sanctions against nearly 50 HIPAA covered entities. However, starting in 2016, OCR has ramped up HIPAA enforcement actions and is levying considerably higher fines, focusing on covered entities’ need to have viable risk assessment programs in place. Fines levied against providers in 2016 and 2017 have ranged from $2.14 million to $5.55 million.

However, in the announcement of sanctions against Metro Community Provider Network, OCR appeared to give the organization a financial break because of the nature of the work it does. “With this settlement amount, OCR considered MCPN’s status as a federally qualified health center when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing care.”

In response to a request for comment, Metro Community Provider Network issued the following statement:

“In 2011, Metro Community Provider Network (MCPN) had a phishing incident which was reported to Health and Human Services and the Office for Civil Rights. Since that time, the organization has worked with these entities to assure HIPAA compliance, including reaching an agreed upon settlement of $400,000. MCPN is pleased with the work that has been done and continues to assure that patient privacy is protected.”

The resolution agreement and corrective action plan are available here.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access