Federally Qualified Health Centers (FQHCs), Community Health Centers (CHCs) and related entities are non-profit organizations that run on shoestring budgets. These organizations are constantly in search of revenue, grants and donations to keep their operations running. Therefore, any type of adverse financial event will be devastating. However, these organizations also must comply with relevant regulations, including HIPAA.
One unfortunate FQHC is the Metro Community Provider Network (MCPN), located in the Denver, Colorado area. MCPN provides primary medical care, dental care, pharmacy, social work and behavioral health services to over 43,000 patients per year, most of whom have incomes at or below the poverty level.
According to a press release on April 12, 2017 from HHS/OCR:
On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.
This is clearly a breach of greater than 500 records and must be reported to OCR, which it was. OCR even found that MCPN took proper steps to remediate the phishing incident. However, upon further investigation, OCR found:
MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.
Even though MPCN is an FQHC, HHS/OCR did not give them a “pass”. HHS/OCR settled with MCPN for $400,000. The amount of the fine probably would have been higher, however:
OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.
In other words, OCR did not want to put MCPN out of business, but they did levy a fine that clearly hurt.
The takeaway: no matter who you are, you need to make sure you are HIPAA compliant.