Last week, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Denver-based Metro Community Provider Network (a federally-qualified health center or FQHC) will pay $400,000 and implement a corrective action plan to settle its violations of HIPAA. The violations include failure to conduct a risk analysis and implement a corresponding risk management plan in accordance with the HIPAA Security Rule, which resulted in vulnerabilities contributing to a data breach.
Why Should You Care?
Healthcare providers typically focus their HIPAA compliance efforts on the Privacy Rule and Breach Notification Rule, often overlooking the importance of comprehensive compliance with the Security Rule. Although this HIPAA settlement may seem nominal, OCR took into account Metro Community Provider Network’s status as an FQHC serving a predominantly low income patient population. This settlement and heftier settlements of late (including a $5.5 million settlement for lack of audit controls and $5.55 million settlement for lack of comprehensive risk analysis and risk management), underscore OCR’s strong message that covered entities must conduct comprehensive risk analyses and adopt strong risk management strategies to keep electronic PHI secure. We anticipate that OCR will continue to be very active in its enforcement of the Security Rule under the Trump administration.
What’s the Takeaway?
Healthcare providers, other covered entities, and their business associates should take this opportunity to review their HIPAA compliance programs, including performing an updated risk analysis and implementing corresponding updates to their risk management plans. Covered entities and business associates that fail to adequately protect electronic PHI are exposing themselves to significant liability under HIPAA and state privacy and data security laws.