August 18, 2017

August 18, 2017

Subscribe to Latest Legal News and Analysis

August 17, 2017

Subscribe to Latest Legal News and Analysis

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

Gone Phishin’: Hack Leads to HIPAA Settlement

Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA).  Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

Phishing, ScamIn addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR.  Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures.

The MCPH settlement underscores the importance of risk analyses and workforce training to avoid phishing scams. Additionally, it is crucial that entities regulated by HIPAA conduct an enterprise-wide HIPAA risk analysis, update that analysis to address new threats, and implement policies and training based on identified risks.  Failure to comply with these essential HIPAA requirements can turn a relatively routine breach investigation into a $400,000 settlement.

A copy of the MCPN resolution agreement and corrective action plan is available here.  OCR’s press release on the settlement is available here.  General Security Rule guidance from OCR is available here.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Kate Stewart, Regulatory, Transactional, Health, Attorney, Mintz Levin, Law firm
Associate

Kate’s practice involves a variety of regulatory and transactional matters.

Kate works with hospitals, dialysis providers, retail clinics, clinical laboratories, pharmacies, and third-party administrators. She provides regulatory advice to clients on issues such as HIPAA Privacy Rule compliance, telemedicine requirements, and third-party administrator licensure. In her transactional practice, Kate has served as corporate and regulatory counsel to hospitals and dialysis providers in acquisitions and joint ventures, including due diligence, change of ownership, and contracting.

617-348-4427