Colorado provider pays $400,000 to settle HIPAA violations

The federal government has notched another HIPAA settlement, the first under new Office of Civil Rights Director Roger Severino.

Colorado-based Metro Community Provider Network, a federally qualified health center that serves low-income patients, agreed to pay $400,000 for its failure to conduct a timely risk analysis, according to a release from the Department of Health and Human Services.

The incident dates back to January 2012, when MCPN revealed 3,200 electronic personal health records had been compromised during a phishing incident. Although the provider took the appropriate corrective actions, it failed to conduct a risk assessment until mid-February, according to HHS.

Prior to the breach, MCPN had not yet assessed its security risks and therefore had no risk management plans in place. A subsequent analysis was deemed insufficient. 

As part of an accompanying corrective action plan (PDF), the community health provider must conduct a risk analysis approved by HHS and submit all plans and reports to the agency.

The settlement adds to a number of high-profile HIPAA resolutions initiated by OCR, including a $2.14 million settlement with St. Joseph Health in October and a $5.5 million settlement with Memorial Healthcare System in February.

RELATED: 4 legal takeaways from recent HIPAA settlements

Prior to Donald Trump’s presidential victory, a senior adviser at OCR said providers could expect more HIPAA fines in the future, and in December another OCR adviser said the agency would be conducting more onsite audits in 2017.  

But some have wondered what approach the Trump administration will take regarding HIPAA enforcement, particularly amid calls to bring HIPAA up to date with current technology. The recent appointment of Severino, a former policy director at the Heritage Foundation, raised concerns about recent privacy guidelines for LGBT populations.