A recent breach settlement from Metro Community Provider Network highlights why the use of HIPAA compliance tools is so important in protecting against breaches.

HIPAA compliance toolsAn Office for Civil Rights (OCR) press release dated April 12 details the breach settlement from Metro Community Provider Network (MCPN). MCPN is a federally qualified health center in Denver, Colorado providing primary care, dental care, pharmaceutical services, social work, and behavioral health care services to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.

MCPN has agreed to pay $400,000 in HIPAA compliance fines and implement a corrective action plan as outlined by the OCR. The OCR stated they considered the status of MCPN as a federally qualified health center when determining the final fine. Essentially, if the OCR had set the fine higher, it might have forced MCPN to close and no longer provide important services to lower income individuals.

The breach was reported on January 12, 2012, stating that a hacker accessed patient information on approximately 3,200 individuals after a phishing incident. Phishing occurs when a hacker sends an email that looks like it’s coming from someone you know and asks you to provide information such as usernames and passwords, or runs malicious software on your computer.

After the breach was reported, the OCR performed a breach investigation of the incident and of MCPN’s current practices. In the investigation, the OCR discovered that while MCPN took corrective action after the phishing incident, there was no history of a risk assessment until February 2012. The OCR also discovered that the initial risk assessment and all others following were not sufficient.

This is quite common. Health care entities will often find themselves being audited or investigated and realize that they need a risk assessment conducted. Those health care entities reach out to qualified vendors and consultants and put a rush on the risk assessment, but the damage has already been done.

To ensure that you stay on top of HIPAA requirements sign up with HIPAAgps and start using our HIPAA compliance tools today, before you are audited or investigated.