Total Health Law Blog
A Denver area Federally Qualified Health Center (FQHC) must pay $400,000 in fines and implement a corrective action plan for HIPAA violations that resulted from a hacker’s breach into the health center’s employee emails. The breach led to theft of electronic protected health information (ePHI) of 3,200 individuals. Although the HIPAA violations were a result of a malicious breach, Metro Community Provider network (MCPN) was found at fault by OCR officials after OCR’s investigation showed MCPN did not conduct a risk analysis of its ePHI environment and waited another two months after discovery of the breach to conduct a risk analysis. MCPN had no system of risk management in place to determine what vulnerabilities the center was susceptible to.
Georgia Healthcare and HIPAA Compliance Lawyers
The HIPAA Privacy Rule was enacted to protect patient health information and secure for patients more control over the use of their private information. Under Federal law, healthcare businesses have a strict obligation to protect the information of patients. While there is no private cause of action for violations of HIPAA, complaints can be filed with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), states’ Departments of Health, federal third-party Payors (Medicare, TRICARE, VA, etc), state licensing boards, and, in some cases, state law may provide a cause of action for individuals under specific state privacy laws. Such complaints can lead to investigations, fines and other negative consequences for a healthcare professional or practice.
Federally Qualified Health Centers
FQHCs provide primary and preventative healthcare services to medically underserved populations. FQHCs are sometimes called community health centers and are typically located in rural areas where travel to the nearest hospital is onerous or in impoverished or inner-city communities where the local population does not have the financial means to be seen at a typical hospital. FQHCs are intended safety nets, designed to improve the health of the at-risk communities in which they are established and are supported by Federal and state grants, enhanced reimbursement for Medicare and Medicaid patients and access to discounted drug programs. FQHCs are under the scrutiny of Federal officials to ensure compliance with Federal regulations.
The specifics of the MCPN case show that OCR investigators can be unrelenting in their investigations — no matter how long it takes (in this case five years), and no matter who the responsible parties are. FQHCs are thus not immune to harsh consequences for violating Federal law. In determining the fines for the HIPAA violations committed by MCPN, the OCR took into account the community need for their services and said in its statement that OCR “considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.”
Substantial fines that impact daily operations are thus predictable (and avoidable) adverse consequences — even for FQHCs — for violations of HIPAA and/or other Federal regulations. In addition, compliance plans that FQHCs must submit to in order to remediate HIPAA violations can be quite onerous. Every healthcare practice or provider should be proactive about compliance with all Federal programs and regulations and should have appropriate and sufficient policies and practices in place to prevent violations of any regulation applicable to them.
We advise and represent FQHCs, hospitals, medical practices, physicians and other healthcare providers. If you have questions about this post, contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com.
** Disclaimer: Thoughts shared here do not constitute legal advice. Please consult with an attorney to discuss your legal issue.
Sources: