Recent Settlement of Alleged HIPAA Violations Demonstrates HHS’s Intent to Protect Both Patients and Healthcare Providers

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) harbors within it the Privacy and Security Rules, which lay down the law for the proper protection and accessibility of electronic protected health information (“ePHI”). Since HIPAA’s enactment, it is not uncommon in the healthcare sphere to hear of HIPAA violations or settlements resulting in a federally-qualified health center (“FQHC”) paying out millions of dollars because of inadequate privacy or security. However, one would be remiss in thinking that the HHS Office of Civil Rights (“OCR”) was simply out to levy crippling fines on non-complaint healthcare providers.

A recent HIPAA settlement announced by OCR resulted in Metro Community Provider Network (“MCPN”) agreeing to pay $400,000 and implement a corrective action plan. MCPN, a Denver-based FQHC, fell victim to a phishing incident in which hackers were able to access 3,200 individual’s ePHI through MCPN employee email accounts. MCPN promptly filed a breach report with OCR, which is the proper corrective action step to take in such situation. OCR’s subsequent investigation revealed that MCPN had not conducted their first HIPAA-required risk analysis until after the phishing incident had taken place. Since no risk analysis had taken place before the phishing incident, MCPN had no active risk management plan that may have shed light on the vulnerabilities that led to the phishing incident occurrence.

Although this was still considered a major security breach, OCR took several factors into account when deciding on the relatively soft penalty of $400,000. First, MCPN had promptly filed a breach report with OCR when it became aware of the phishing incident security breach. Second, because MCPN is an FQHC, OCR made sure to punish them for the breach, but in an amount that would not be so financially crippling that MCPN could no longer ensure patient care. Lastly, OCR cited the fact that MCPN provided a wide variety of medical services to roughly 43,000 patients, many at or below the poverty line.

Ultimately, this incident shows that OCR looks out for the best interests of both patients and healthcare providers making efforts to be in compliance. MCPN, as a “first-time offender” and an entity that did try to take some proper corrective action on their own initiative, paid out a settlement that could have been much larger, but was still large enough to get the point across. Because the settlement was not crippling, MCPN was able to continue to provide needed health services to a population that otherwise may not receive such care. While partial compliance with HIPAA is assuredly better than none, it is always best for FQHCs to be cognizant of their ongoing Privacy and Security Rule obligations, and to consult a healthcare attorney to best ensure full compliance.