Unsuccessful to undertook a risk analysis and establish a risk management plan as required under the HIPAA privacy and security rules has landed a provider agency in trouble with the HHS Office for Civil Rights, leading to a $400,000 fine and imposition of a 3-year corrective action plan. Metro Community Provider Network is a huge federally qualified health center with 21 clinics serving 43,000 primarily poor sufferers in 5 counties throughout the Denver region. Its services involve primary care, pharmacy, dental, social work and behavioral health.
In the month of January 2012, Metro Community Provider Network informed OCR that a hacker accessed workers’ email accounts through a phishing attack and gained electronic protected health information on 3,200 people. “OCR’s investigation disclosed that MCPN took important corrective action related to the phishing tragedy; although, the investigation also unveiled that MCPN failed to conduct a risk analysis until the year of mid-February 2012,” the agency asserts in a statement.
When MCPN ultimately conducted a risk analysis, it and subsequent risk analyses weren’t enough to meet HIPAA security rule requirements, in accordance to OCR.
OCR has now levied huge sanctions against almost 50 HIPAA covered entities. Although, starting in the year of 2016, OCR has ramped up HIPAA enforcement actions and is levying considerably higher fines, concentrating on covered entities’ requirement to have viable risk assessment programs in place. Fines levied against providers in the year of 2016 and 2017 have ranged from $2.14 million to $5.55 million.
However, in the declaration of sanctions against Metro Community Provider Network, OCR appeared to provide the organization a financial break due to the nature of the work it does. “With this settlement amount, OCR considered MCPN’s status as a federally qualified health center when balancing the importance of the violation with MCPN’s capability to maintain sufficient financial standing to make sure the provision of ongoing care.”
In response to an appeal for comment, Metro Community Provider Network released the following statement:
“In the year of 2011, Metro Community Provider Network (MCPN) had a phishing tragedy which was reported to Health and Human Services and the Office for Civil Rights. Since that time, the agency has worked with these entities to assure HIPAA compliance, involving reaching an agreed upon settlement of $400,000. MCPN is happy with the work that has been done and continues to assure that sufferer privacy is protected.”
The resolution agreement and corrective action plan are available here.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment