Englewood, Colo.-based Metro Community Provider Network will pay $400,000 and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it failed to properly safeguard electronic protected health information.
MCPN — a federally-qualified health center — provides medical, dental, pharmacy, social work and behavioral health services to roughly 43,000 patients each year. On Jan. 27, 2012, the network filed a breach report with HHS' Office for Civil Rights after a hacker accessed employee email accounts and obtained 3,200 individuals' PHI.
Although MCPN took necessary corrective action following the incident, an OCR investigation found MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach, the network had not conducted an appropriate risk analysis to identify vulnerabilities. The risk analyses following the breach were "insufficient to meet the requirements of the Security Rule," according to an HHS news release.
"Patients seeking healthcare trust that their providers will safeguard and protect their health information,” said Roger Severino, JD, newly appointed OCR Director. "Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities."
Since the 2011 breach, MCPN has worked with HHS and OCR to assure HIPAA compliance, including reaching the agreed upon settlement, MCPN leadership told Becker's Hospital Review via email. "MCPN is pleased with the work that has been done and continues to assure that patient privacy is protected," the network said in the email.
Click here to view the HHS release.