Rumors of the demise of enforcement of HIPAA’s security and privacy rules are, with apologies to Mark Twain, apparently exaggerated. On April 12, 2017 The Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services announced a $400,000 penalty settlement for breaches stemming from a cyberattack.
Metro Community Provider Network, (“MCPN”), which provides medical, mental health, dental and pharmaceutical services throughout the Denver area, had self-reported a cyberattack that resulted in the breach of health information of 3,200 individuals. Following a pattern of OCR findings in penalty proceeding findings in breaches following a cyberattack, OCR found that MCPN violated the HIPAA Security Rule by failing to adequately recognize the risks of such an attack in its HIPAA Security Risk Analysis. The Resolution Agreement also noted that MCPN had not implemented appropriate safeguards to reduce the risk of breaches through cyberattack.
The Resolution Agreement comprised a monetary penalty of $400,000 and a Corrective Action Plan. The Plan requires MCPN to prepare a Security Risk Analysis Plan within thirty days and submit it to OCR for approval; develop and implement a Risk Management Plan for addressing security risks; and review, revise and prepare updated security policies and procedures that OCR will review. The consultants’ and lawyers’ fees in preparing and submitting these documents will, needless to say, add substantially to MCPN’s costs as a result of this incident.
OCR has sent a clear statement that the change in Administration will not impact its vigilance in the protection of personally identifiable health information. By this press release, it also has advised the healthcare community that, while any organization can be hacked, attacks will frequently lead to investigations and penalties if OCR determines that appropriate safeguards to reduce risk were not in place at the time of the cyberattack. The message is clear: Be proactive in cyber defenses, bring in the resources necessary to do so and document your cybersecurity efforts before the attacker strikes. For most health organizations, it’s not a matter of whether an attacker will strike, but when.
If you have questions or require assistance regarding heath cybersecurity compliance or investigation counsel, please contact Kenneth N. Rashbaum.