OCR Settlement Lessons – No Risk Assessment Exposes Provider to Liability

Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between OCR and a Federally Qualified Health Clinic.  The FQHC filed a breach report upon learning that its employee emails had been hacked and that the hacker had access over electronic health information of over 3,000 patients.  The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis.  Furthermore, the provider had failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks. Even when the provided conducted a risk analysis, ORC found the analysis to be insufficient to meet HIPAA security standards.

Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs.

Lesson 2 – OCR considered that the provider was a Federally Qualified Health Clinic and still imposed a $400,000 settlement amount.

Lesson 3 – Don’t overlook the HIPAA security rules.