“[Metro Community Provider Network] provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.” Source: hhs.gov
It appears the Office for Civil Rights (OCR) considered the ability of the provider to continue indigent care in assessing the $400,000 fine, but ultimately decided the failure to audit and, thus, adjust policies, procedures and training for privacy and security was more important.
The government press release goes on to state that, “On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.”
All providers, practice managers and compliance staff should note that the initial problem was handled properly. Unfortunately for the network, the secondary inquiry into policies and procedures uncovered additional problems that helped to generate a larger investigation and resulted in the huge fine.
With all the uncertainty in healthcare at present, the ability of HHS and OCR to levy crushing fines remains secure. There is no good reason to risk an investigation that could put your practice out of business, so please heed the warnings and get compliant.
Julie-Karel Elkin is a Member and the Chief Compliance Officer at Spicer Rudstrom PLLC. She is the head of the Health Data Privacy and Security practice and has been helping companies and practices large and small with all aspects of their compliance needs for more than 20 years. Ensuring her clients protect and secure data through better training and the sensible use of technology is at the core of her mission.
ABOUT SPICER RUDSTROM PLLC
Spicer Rudstrom PLLC was founded in 1963 and currently has more than 40 attorneys with offices in Memphis, Nashville, Chattanooga, Knoxville, Little Rock and Texarkana. We offer representation across industries, including construction, real estate, employment, medical malpractice, retail and hospitality, trucking and transportation, and business. Our clients range from local and national businesses to international companies seeking business, legal and litigation services. The firm’s commitment to its clients and its entrepreneurial spirit drives Spicer Rudstrom to be the premier litigation firm in the South. For more information, visit www.spicerfirm.com.