OCR Signs $400K HIPAA Settlement with Colorado-Based Health CenterHIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again
A Colorado-based community healthcare center is the latest healthcare entity to learn an expensive lesson from the Department of Health and Human Services Office for Civil Rights about the importance of conducting a timely and comprehensive risk assessment.
In an April 12 statement, OCR says it has signed a $400,000 resolution agreement and corrective action plan with Metro Community Provider Network, a federally-qualified health center, to settle "potential noncompliance" with the HIPAA privacy and security rules following OCR's investigation into a 2012 breach.
MCPN in January 2012 filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' electronic protected health information through a phishing incident.
Although OCR says its investigation revealed that MCPN took necessary corrective action related to the phishing incident, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012 - about a month after the entity reported the breach to OCR.
"Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis," OCR says.
When MCPN finally conducted a risk analysis, that study, as well as all subsequent risk analyses, were insufficient to meet the requirements of the HIPAA security rule, OCR says.
The resolution agreement with MCPN "is another example of how OCR looks at an information security incident that results in a breach as a symptom of larger issues that indicate general failures to have appropriate safeguards in place," notes attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
" As we have seen in the past, the investigation focused on the failure of conducting an enterprise wide information security risk analysis and implementing a risk management plan to address the vulnerabilities found by the assessment."
A Matter of Trust?
Patients seeking healthcare trust that their providers will safeguard and protect their health information, says Roger Severino, new OCR director in the statement about the MCPN settlement.
"Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities," he says. The settlement with MCPN is the first HIPAA enforcement action revealed by OCR since Severino joined the agency in March as part of the Trump administration's HHS leadership team.
Privacy attorney Kirk Nahra of the law firm Wiley Rein suspects that the investigation by OCR into the MCPN case, and the resulting settlement, were likely in the works for at least two or three years, "well before new head was named, certainly before the [Presidential] election even."
The lack of a timely, comprehensive, and enterprise-wide risk analysis - as well as failure to follow up with mitigation remedies to address risks identified in the assessments - have been a recurring theme in most of OCR's 47 HIPAA enforcement actions related to breach investigations since 2008.
"OCR continues to view a good risk analysis as foundational to HIPAA Security Rule compliance," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "'All roads lead to Rome,' and almost all breaches lead OCR to identifying a lack of risk analysis and risk management."
For example, risk analysis was also cited by OCR in its $5.5 million settlement in February with Memorial Healthcare System.
In that case, several Memorial Healthcare employees accessed information without authorization to more than 100,000 patients' records. That case, which also subsequently led to criminal charges, is the second largest HIPAA settlement by OCR to date.
In its statement about MCPN, OCR implies that the $400,000 settlement amount in that case also might've been higher. However, OCR notes it "considered MCPN's status as a federally-qualified health center when balancing the significance of the violation with MCPN's ability to maintain sufficient financial standing to ensure the provision of ongoing patient care."
MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level, OCR says.
MCPN Corrective Action Plan
In its corrective action plan with OCR, MCPN agreed to take a number of steps to bolster its security practices, including:
- Conducting a comprehensive and thorough risk analysis of security risks and vulnerabilities that includes systems at all current MCPN facilities;
- Developing an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
- Reviewing, and if necessary, revising, its current HIPAA security rule policies and procedures based on the findings of the risk analysis;
- Providing its workforce with revised training materials based on any revisions to its policies and procedures as a result of the MCPN risk analysis findings.
Lessons to Learn
The biggest lessons emerging from OCR's latest HIPAA settlement is: "do a risk assessment; and do the best you reasonably can, before, during and after something happens," says Nahra, the attorney.
"There aren't any 'free passes,' but OCR can tell when you have been working diligently to do the right things."
While many of OCR's previous HIPAA settlements have centered on breach cases involving lost or stolen unencrypted computing or storage devices; lack of business associate agreements; and inappropriate disposal of PHI, it's likely there will be additional settlements in the future involving other hacker breaches, Nahra predicts.
"We will certainly see more hacker cases, but there's no 'focus' [by OCR] on these cases. OCR addresses, for the most part, what comes to them" in breach reports, Nahra notes.
In some previous hacker breach cases investigated by OCR, "companies have actually had 'reasonable and appropriate' precautions in place, so OCR does not feel a need to take enforcement action," he notes.
"This is part of OCR's overall enforcement approach, which is reasonable, appropriate and thoughtful, and distinguishes between entities that are trying hard, and those that aren't."
Holtzman says he also expects that OCR will issue a number of future resolution agreements involving organizations that have suffered breaches that are as a result of phishing scams or other cybersecurity incidents.
"First, OCR's records show that the number of breaches caused by these types has increased dramatically over the last few years. Second, there seems to be an average period of three to four years between the reporting of the breach incident and OCR's completion of the investigation that would result in an enforcement action," he notes.
However, "as the resolution agreement with MCPN shows, a fine or penalty is more likely to be levied when OCR's investigation finds that the root cause of the hacking incident was that the organization had not performed an enterprise wide information security risk analysis to assess the threats and vulnerabilities to the PHI prior to the occurrence of the breach."