April 25, 2017 - 2:30pm
It’s Just Plain Risky Not to Do A Risk Analysis: Recent OCR Settlement One of Several Resulting from Failure to Analyze and Address Risks to ePHI Posted by:

On April 12, 2017, the Office for Civil Rights (“OCR”) announced a settlement and corrective action plan with a Colorado federally-qualified health center, Metro Community Provider Network (“MCPN”), after a 2012 breach of electronic protected health information affected roughly 3,200 individuals.  OCR alleged that MCPN failed to conduct any risk analyses, as required by the HIPAA Security Rule at 45 C.F.R. 164.308(a)(1)(ii)(A), prior to the breach, and even when MCPN began performing the analyses, it did so in a way that was insufficient to meet the Security Rule requirements.  The parties reached a $400,000 settlement, which was in part due to a balancing of the severity of the incident and identified violations with MCPN’s service to the Denver area’s low-income population.

This settlement is notable for several reasons, not the least of which is the fact that the lack of a risk analysis was again the focus of a HIPAA settlement.  Risk analyses, which require the entity to routinely “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentialityintegrity, and availability of electronic protected health information,” are a key component of the HIPAA Security Rule, and one on which OCR has repeatedly focused its enforcement efforts.  The risk analysis requirement is closely tied with another Security Rule requirement, the risk management plan.  The Security Rule at 45 C.F.R. 164.308(a)(1)(ii)(B) requires that a covered entity or business associate use the results of the risk analysis to create a plan for the implementation of necessary security measures.

In addition, this settlement reemphasizes the importance of HIPAA security training for all workforce members.  MCPN’s data breach was the result of a “phishing” email attack.  A “phishing” email attack is one in which a hacker sends an email to an individual with an attachment or link that requires the submission of information that later allows further intrusion.[i]  The Security Rule requires that covered entities and business associates provide training to their workforce members on data security practices and principles.[ii]  This training, paired with additional requirements to implement technical security practices, such as anti-virus and spyware protection, are designed to prevent or limit the impact of such attacks.[iii]  However, phishing attacks and other incidents assisted by human error will continue to play a role in the occurrence of data breaches.[iv]

Finally, like other OCR settlements, the settlement with MCPN was driven mostly by a failure to implement and internalize the HIPAA standards prior to and after the breach.  OCR notes in its press release that MCPN appropriately responded once it identified that a breach had occurred.  Instead, OCR’s main concern was with the failure of MCPN to satisfy certain Security Rule requirements.  Data breaches in the health care sector are ubiquitous; for example, a report from analytics company Protenus, Inc. indicates that at least one health care data breach occurred each day in 2016.[v]  With breaches in the health care industry so common, each covered entity and business associate should ensure that it incorporates HIPAA into its overall compliance plan, as failure to do so could affect the outcome of any future investigation or settlement.  Although meeting the numerous Security Rule requirements can seem like a hassle to covered entities and business associates, the requirements are designed to help organizations prevent, detect, or mitigate the inevitable breach.  

 

[i] “Report Phishing Sites,” US-CERT, https://www.us-cert.gov/report-phishing (last visited Apr. 17, 2017).
[ii]   45 C.F.R. 164.308(a)(5)(i).
[iii]  45 C.F.R. 164.308(a)(5)(ii).
[iv] See e.g., 2016 Cost of Data Breach Study: Global Analysis, IBM and the Ponemon Institute, June 2016, available at http://www.ponemon.org/news-2/71.
[v] Breach Barometer Report: A Year in Review, 2016 Averaged at least One Health Data Breach Per Day, Affecting More than 27M Patient Records, Protenus, Inc. in collaboration with DataBreaches.net, 2017, available at https://www.protenus.com/hubfs/Breach_Barometer/Protenus%20Breach%20Barometer-2016%20Year%20in%20Review-%20final%20version.pdf