Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

Please be advised that contacting Ruder Ware by e-mail does not create an attorney-client relationship. If you contact the firm by e-mail with respect to a matter where the firm does not already represent you, any information which you disclose to us may not be regarded as privileged or confidential.


Accept   Cancel

PAL Login

linkedin.jpgyoutube.jpgvimeo.jpgtwitter_off.png View Ruder Ware

Health Care Blog

OCR Settlement Lessons - Failing to Perform an Electronic Access Risk Analysis Before an Unauthorized Access Occurs

Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between the Office of Civil Rights (OCR) and a Federally Qualified Health Clinic (FQHC).  The FQHC filed a breach report upon learning its employee emails had been hacked and the hacker had access to electronic health information of over 3,000 patients.  The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis.  Furthermore, the provider failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks.  Even when the provider conducted a risk analysis, OCR found the analysis to be insufficient to meet HIPAA security standards.

Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs.

Lesson 2 – OCR considered that the provider was an FQHC and still imposed a $400,000 settlement amount.

Lesson 3 – Do not overlook the HIPAA security rules.