Daniel VinishMaida Oringher LernerStephanie WillisKate M. Growley

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.