OCR Settlement Lessons – Failing to Perform an Electronic Access Risk Analysis Before an Unauthorized Access Occurs
By John H. Fisher II
May 3, 2017
Failure to conduct a risk assessment before a hacking incident occurred resulted in a $400,000 settlement between the Office of Civil Rights (OCR) and a Federally Qualified Health Clinic (FQHC). The FQHC filed a breach report upon learning its employee emails had been hacked and the hacker had access to electronic health information of over 3,000 patients. The OCR’s investigation that resulted from the breach disclosure revealed that required corrective action was taken in response to the breach but that the provider failed to conduct a timely risk analysis. Furthermore, the provider failed to conduct an assessment of risks and vulnerabilities of ePHI prior to the breach and had not implemented corresponding risk management plans to address electronic risks. Even when the provider conducted a risk analysis, OCR found the analysis to be insufficient to meet HIPAA security standards.
Lesson 1 – Conduct an analysis of electronic risk vulnerabilities before an unauthorized access breach occurs.
Lesson 2 – OCR considered that the provider was an FQHC and still imposed a $400,000 settlement amount.
Lesson 3 – Do not overlook the HIPAA security rules.
The content in the following blog posts is based upon the state of the law at the time of its original publication. As legal developments change quickly, the content in these blog posts may not remain accurate as laws change over time. None of the information contained in these publications is intended as legal advice or opinion relative to specific matters, facts, situations, or issues. You should not act upon the information in these blog posts without discussing your specific situation with legal counsel.
© 2021 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.