Whether your practice accesses, creates, modifies, or stores electronic protected health information (ePHI) you must do everything possible to reduce, and eliminate as much as possible, any risks to that information.
For one entity, a recent $400,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) settlement demonstrates the importance of identifying and managing risks to ePHI.
OCR recently announced that Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan.
According to the announcement:
- MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident.
- MCPN addressed took necessary corrective action steps to address the phishing incident but failed to conduct a security risk analysis until almost a month later.
- Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and did not have implemented risk management plans to address the risks and vulnerabilities identified in a risk analysis.
- OCR determined the MCPN risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.
What can we learn from this settlement?
Performing a security risk analysis and having a corrective action plan in place is not optional. And simply checking a box saying a security risk analysis was performed is not sufficient. Your practice should perform an initial analysis to identify risks and vulnerabilities, and have an action plan in place to address deficiencies. Some deficiencies could require immediate action, while others may be okay to address at a later date. What's important is to have a plan that will sufficiently manage risks and vulnerabilities. From there, you should perform or review subsequent risk analyses at least annually thereafter or if there is an incident such as hacking or phishing that impacts ePHI.
If you have any questions about security risk analysis requirements, please contact us by phone: 855-427-0427 or by email: [email protected].