mcn healthcare logo

Another HIPAA Settlement Highlights Need for Risk Analysis of ePHI Environment

breaches

Another HIPAA Settlement Highlights Need for Risk Analysis of ePHI Environment

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced, on April 12, 2017, a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI).

Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan.

On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. According to OCR, “Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.”

This is another reminder for healthcare organizations to conduct a risk analysis of their ePHI environment and ensure any identified vulnerabilities are addressed.

OCR has posted educational materials on the HHS.gov website to help healthcare organizations learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI).

MCN HEALTHCARE

Regulatory Compliance Solutions for Healthcare Organizations
Our comprehensive compliance suite includes:

 Policy Management Software | Policy Library Templates
StayAlert! – Regulatory Alert System | Learning Management System

Learn more. Visit mcnhealthcare.com

We are expanding our team! Click here for more information.

Got it!
X