- Failing to conduct a risk analysis and not implementing a corresponding risk management plan to address found risks and vulnerabilities were part of the reasoning behind the latest OCR HIPAA settlement.
Metro Community Provider Network (MCPN) agreed to a $400,000 settlement stemming from data breach allegations that took place in 2012.
MCPN is a federally-qualified health center (FQHC), a fact that OCR said it took into consideration “when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.”
MCPN filed a data breach report on January 27, 2012, and said that a hacker had accessed employees' email accounts. The hacker obtained 3,200 individuals' ePHI through a phishing incident.
“MCPN reported that on December 5, 2011, it became aware that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI,” the resolution agreement explained. “On April 6, 2012, HHS notified MCPN that it was initiating an investigation into the breach.”
An OCR investigation found that MCPN had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI security. The health center also “failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
“Patients seeking health care trust that their providers will safeguard and protect their health information,” OCR Director Roger Severino said in a statement. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”
Per its corrective action plan, MCPN must conduct a risk analysis and then implement an applicable risk management plan.
“MCPN shall conduct a current, comprehensive, and thorough Risk Analysis of security risks and vulnerabilities to include all of its current facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by MCPN, that contain, store, transmit, or receive [ePHI],” the resolution agreement said. “MCPN shall review the Risk Analysis annually (and more frequently, if appropriate) and shall promptly update the Risk Analysis in response to environmental or operational changes affecting the security of ePHI.”
The health center also needs to review and revise its policies and procedures related to ePHI security. All employee training materials will need to be reviewed and revised as necessary, according to OCR.
The risk analysis is part of the HIPAA Security Rule. It requires healthcare organizations to evaluate the likelihood and impact of potential risks to ePHI, implement appropriate security measure to address those risk areas, and document the security measures.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
HHS uses four factors to determine the likelihood that PHI was inappropriately used or disclosed in a potential breach. By reviewing these factors, covered entities and business associates can better understand how to review possible risk areas.
- What is the nature of the information involved?
- Who is the authorized person responsible?
- Was PHI actually acquired or viewed?
- To what extent has the risk to PHI been mitigated?
Risk analyses and risk management were also one of the key focus areas in the 2016 OCR HIPAA settlements.
For example, Advocate Health Care Network (Advocate) had the largest OCR HIPAA settlement to date at the time of publication, with a $5.55 million agreement. Advocate faced multiple alleged HIPAA violations and noncompliance issues.
We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” previous OCR Director Jocelyn Samuels said in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”