Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, April 13, 2017

Breach investigation uncovers lack of risk assessment

By Sarah E. Baumann, J.D.

A federally qualified health center (FQHC) entered into a resolution agreement and a corrective action plan (CAP) with the HHS Office for Civil Rights (OCR) as a result of its failure to conduct a timely and effective risk analysis pursuant to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191Security Rule. Metro Community Provider Network (MCPN) agreed to pay $400,000 to resolve allegations that it did not comply with the Rule’s requirements, which may have led to a hacking incident that compromised the electronic protected health information (ePHI) of 3,200 individuals. The CAP is effective for three years (Resolution Agreement, April 7, 2017).

MCPN serves patients in the greater Denver, Colorado metropolitan area, many of whom have incomes at or below the poverty level. It provides primary medical care, dental care, pharmacies, social work, and behavioral health care services. On December 5, 2011, MCPN became aware that a hacker accessed employee email accounts as part of a phishing scam and "obtained" the individuals’ ePHI. It notified the OCR of the breach in a timely manner on January 27, 2012.

The Security Rule requires HIPAA covered entities (CEs) and business associates (BAs) to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, or availability of the ePHI they maintain and then implement measures sufficient to reduce those identified risks and vulnerabilities (45 C.F.R. Sec. 164.308(a)(1)). The OCR’s investigation revealed that MCPN failed to conduct a risk analysis prior to the incident. Although it conducted an analysis in February 2012, along with subsequent analyses, they all failed to meet Security Rule requirements.

The OCR balanced MCPN’s status as an FQHC and its service to low-income patients with the significance of the violation before arriving at the $400,000 figure. Pursuant to the CAP, MCPN must conduct a risk analysis and review it at least annually, develop and implement a risk management plan, review and revise policies and procedures, review and revise training materials, notify the OCR of any reportable events, submit implementation and annual reports, and retain documents associated with the CAP for six years. Should MCPN breach the CAP, it could be subject to civil monetary penalties (CMPs).

Companies: Metro Community Provider Network

MainStory: TopStory CMPNews ConfidentialityNews CyberPrivacyFeed HITNews HIPAANews RiskNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.