August 23, 2019

August 22, 2019

Subscribe to Latest Legal News and Analysis

August 21, 2019

Subscribe to Latest Legal News and Analysis

August 20, 2019

Subscribe to Latest Legal News and Analysis

A Failure to Plan is a Plan to Fail: $400,000 HIPAA Settlement Highlights the Importance of Risk Assessments and Management Plans

Key Takeaway:

  • HIPAA requires Covered Entities to proactively conduct risk assessments and implement risk management plans to prevent data breaches

Metro Community Provider Network (MCPN) has entered into a $400,000 Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement and three-year corrective action plan with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The parties settled MCPN’s potential noncompliance with the HIPAA Privacy and Security Rules, stemming from a phishing incident that gave impermissible access to the electronic protected health information (ePHI) of 3,200 individuals.

MCPN – a federally qualified health center located in Colorado that serves approximately 43,000 low-income patients annually – filed a HIPAA Breach Notification Report on January 27, 2012, following the phishing incident. Although OCR determined that MCPN took necessary corrective action related to the phishing incident itself, MCPN had failed to conduct any prior risk assessments to detect the vulnerabilities in its ePHI environment as required by HIPAA. More specifically, OCR’s investigation revealed that MCPN failed to (1) implement policies and procedures to prevent, detect, contain, and correct security violations, and (2) failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Per its corrective action plan, MCPN must conduct a risk analysis and implement a risk management plan to reduce or eliminate any risks to ePHI. MCPN must also review and revise its current Security Rule Policies and Procedures based on its findings and the implementation of its risk management plan. Lastly, MCPN is required to update its current Security Rule training materials to reflect the new information it gathers regarding its risks and any of the revisions MCPN makes to its policies and procedures. HHS will review the training materials and ultimately require MCPN to administer a Security Rule training program to each member of its workforce who has or will have access to ePHI.

This OCR HIPAA settlement, reached less than one month after Roger Severino’s appointment as OCR Director in late March 2017, indicates that there is no slowing down on HIPAA enforcement at HHS under the new administration. Recent HIPAA settlements such as this one emphasize the importance of properly conducting risk analyses and implementing risk management plans to secure ePHI. The OCR’s press release on the settlement is available here.

©2019 Drinker Biddle & Reath LLP. All Rights Reserved


About this Author

Jennifer R. Breur, Attorney, Drinker Biddle, Healthcare Lawyer

Jennifer R. Breuer represents health care providers and suppliers in transactional, compliance and regulatory matters, with a focus on Stark Law and Anti-Kickback Statute compliance for hospital-physician relationships. Jen also advises on data strategy and privacy law compliance for electronic health records, health information exchanges and other technology platforms. She regularly assists in the development of compliance strategies for ehealth and telemedicine providers.

Prior to attending law school, Jen worked as a strategy...

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of Privacy and Identity Protection, Katherine lead Fair Credit Reporting Act (FCRA) initiatives, including law enforcement investigations, consent negotiations, rulemakings, and other interpretive policy initiatives.  During Katherine’s tenure at the Commission, she served as an Attorney Advisor to Chairman Janet Steiger and Commissioner Sheila Anthony and was responsible for counseling on matters of consumer protection policy and enforcement.

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...