Page 27 - Delaware Medical Journal - June 2017
P. 27
Phishing Incident Leads to $400,000 HIPAA Settlement
� Bruce D. Armon; Karilynn Bayus On April 12, 2017, the U.S.
Department of Health and
����������������������������
for Civil Rights (OCR) announced that Metro Community Provider Network (MCPN) agreed to pay HHS $400,000
to settle alleged HIPAA Security Rule noncompliance issues. The settlement arose after a phishing incident led to the disclosure of 3,200 individuals’ protected health information (PHI).
�����������������������������������
center (FQHC) in the Denver, Colorado metropolitan area that provides services — primary medical care, dental care, pharmacy, social work, and behavioral health care services — to approximately 43,000 individuals annually, the majority of whom have incomes at or below the federal poverty level.
�������������������������������������
report with OCR stating that a hacker accessed MCPN employees’ email accounts and obtained the PHI of approximately 3,200 individuals. OCR’s subsequent investigation revealed that prior to the phishing incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities to its electronic PHI
(ePHI), and therefore had not implemented a risk management plan to address the risks and vulnerabilities that would have been ������������������������������������������� OCR concluded that when MCPN ultimately did perform a risk analysis (and subsequent risk analyses), those analyses ������������������������������������������� of the HIPAA Security Rule.
In its press release announcing the settlement, OCR alluded that the $400,000 ����������������������������������������� not an FQHC and that OCR balanced the severity of the non-compliance with the important services MCPN provides to a vulnerable population.
OCR has continued to shift its focus and enforcement activities to the HIPAA Security Rule (as opposed to the Privacy Rule). All covered entities and business associates should review the Security Rule compliance standards and ensure ongoing compliance. The Security
Rule has “required” and “addressable” standards. “Required” means the covered ����������������������������������������� “Addressable” means the covered entity must assess whether the implementation �����������������������������������
appropriate safeguard in its environment when analyzed with reference to the likely contribution to protecting [ePHI]” and then ���������������������������������������������� ������������������������������������������� and appropriate, (i) document why it
would not be reasonable and appropriate to implement; and (ii) implement
an equivalent alternative measure if reasonable and appropriate.
Phishing incidents are only one example of the ongoing challenges for covered entities and business associates with respect to protecting ePHI. Moreover, once a breach incident is reported to OCR, the follow up investigation can be prolonged, arduous, invasive and costly. Preventive and ongoing compliance is highly recommended.
CONTRIBUTING AUTHOR
■ BRUCE D. ARMON is a Partner and Health Care Chair at the Saul Ewing law firm in Philadelphia.
■ KARILYNN BAYUS is a Special Counsel and Health Care Vice Chair at the Saul Ewing law firm in Philadelphia.
MEDICINE AND LAW
Del Med J | June 2017 | Vol. 89 | No. 6
187
