A Denver area Federally Qualified Health Center (FQHC) must pay $400,000 in fines and implement a corrective action plan for HIPAA violations that resulted from a hacker’s breach into the health center’s employee emails. The breach led to theft of electronic protected health information (ePHI) of 3,200 individuals. Although the HIPAA violations were a result of a malicious breach, Metro Community Provider network (MCPN) was found at fault by OCR officials after OCR’s investigation showed MCPN did not conduct a risk analysis of its ePHI environment and waited another two months after discovery of the breach to conduct a risk analysis. MCPN had no system of risk management in place to determine what vulnerabilities the center was susceptible to.
Georgia Healthcare and HIPAA Compliance Lawyers
The HIPAA Privacy Rule was enacted to protect patient health information and secure for patients more control over the use of their private information. Under Federal law, healthcare businesses have a strict obligation to protect the information of patients. While there is no private cause of action for violations of HIPAA, complaints can be filed with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), states’ Departments of Health, federal third-party Payors (Medicare, TRICARE, VA, etc), state licensing boards, and, in some cases, state law may provide a cause of action for individuals under specific state privacy laws. Such complaints can lead to investigations, fines and other negative consequences for a healthcare professional or practice.