Recent HIPAA breach settlement emphasizes the importance of a security risk assessment

On April 12th, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Metro Community Provider Network (MCPN), a federally qualified health center (FQHC) in Colorado. Pursuant to the settlement, MCPN agreed to pay $400,000 and implement a corrective action plan for alleged violations of the HIPAA Privacy and Security Rules.

The settlement stems from a breach that MCPN reported in 2012. Hackers used a phishing incident to access email accounts of MCPN employees, obtaining protected health information of 3,200 MCPN patients. Although HIPAA covered entities, such as MCPN, are required to conduct security risk analyses, MCPN did not conduct a HIPAA risk analysis until after discovery of the breach. In addition, OCR found that the risk assessments that MCPN did conduct were not sufficient to satisfy the requirements of the HIPAA Security Rule. Finally, OCR found that MCPN did not implement security risk management measures in compliance with the HIPAA regulations.

In addition to highlighting the importance of conducting security risk assessments, this breach settlement is another indication of how OCR is working through its backload of cases.

HIPAA compliance is one of the most important - and challenging - undertakings for a dental practice. Protect your patients - and your practice - by calling TREYSTA Dental and developing and implementing a complete HIPAA compliance program. With increased scrutiny by regulators and the possibility of penalties in the thousands and even millions of dollars for HIPAA violations, you can't afford not to. 

Call TREYSTA Dental for a risk assessment today!

The OCR press release on this settlement can be found here and the Resolution Agreement and Corrective Action Plan can be found here.