On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Metro Community Provider Network (“MCPN”) that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information (“PHI”).
In January 2012, MCPN submitted a breach report to OCR indicating that it had suffered a breach following a phishing incident that affected 3,200 patients. OCR investigated MCPN and found that, while MCPN had taken corrective action following the incident, it had failed to conduct a risk analysis until February 2012 or implement a risk management plan. In addition, the risk analysis MCPN eventually conducted was deemed “insufficient to meet the requirements of the Security Rule.”
The resolution agreement requires MCPN to pay $400,000 to OCR and enter into a Corrective Action Plan that obligates MCPN to:
- conduct a risk analysis and submit it to OCR for review and approval;
- implement a risk management plan to address and mitigate the risks and vulnerabilities identified in the risk analysis;
- revise its policies and procedures based on the findings of the risk analysis;
- review and revise its HIPAA training materials;
- report any events of noncompliance with its HIPAA policies and procedures; and
- submit annual compliance reports for a period of three years.
In the settlement with MCPN, OCR balanced MCPN’s HIPAA violations with its status as a federally qualified health center that provides medical care to patients who have incomes at or below the poverty level. OCR Director Roger Severino stated that “Patients seeking health care trust that their providers will safeguard and protect their health information. Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”