The Office for Civil Rights (OCR) at the Department of Health and Human Services is responsible for HIPAA enforcement. On April 12, they issued the following announcement:
On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.
MCPN refers to Metro Community Provider Network, a Federally Qualified Health Center (FQHC) located near Denver. MCPN provides services to over 43,000 patients per year. FQHC’s and CHCs (Community Health Centers) are non-profit organizations. But they are still subject to HIPAA fines. The breach was greater than 500 records, so it had to be reported to OCR–which MCPN did. They even took the correct steps to remediate the breach. But OCR still fined MCPN $400,000.00 for not having proper protocols in place prior to the breach. OCR stated:
MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.
OCR levied the fine even though they recognized MCPN was a non-profit:
OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care.
Every organization, even non-profits, needs to ensure proper HIPAA compliance.