On April 12th, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Metro Community Provider Network (MCPN), a federally qualified health center (FQHC) in Colorado. Pursuant to the settlement, MCPN agreed to pay $400,000 and implement a corrective action plan for alleged violations of the HIPAA Privacy and Security Rules.

The settlement stems from a breach that MCPN reported in 2012. Hackers used a phishing incident to access email accounts of MCPN employees, obtaining protected health information of 3,200 MCPN patients. Although HIPAA covered entities, such as MCPN, are required to conduct security risk analyses, MCPN did not conduct a HIPAA risk analysis until after discovery of the breach. In addition, OCR found that the risk assessments that MCPN did conduct were not sufficient to satisfy the requirements of the HIPAA Security Rule. Finally, OCR found that MCPN did not implement security risk management measures in compliance with the HIPAA regulations.

In its press release, OCR explains that it considered MCPN’s status as a FQHC and that it balanced the significance of the alleged HIPAA violation with a penalty that would allow MCPN to continue to serve patients, a majority of whom have incomes at or below the federal poverty level.

In addition to highlighting the importance of conducting security risk assessments, this breach settlement is another indication of how OCR is working through its backload of cases. The Resolution Agreement states that OCR notified MCPN more than five years ago that it was beginning an investigation of MCPN’s reported breach.

The OCR press release on this settlement can be found here and the Resolution Agreement and Corrective Action Plan can be found here.