Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, settled alleged HIPAA violations of failing to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI…and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

The problem is that OCR has never provided guidance on what this phrase means. What qualifies in its opinion as an “accurate and thorough assessment?” What are security measures that are “reasonable and appropriate?” The terms are inherently subjective and could move with the facts or the particular OCR investigator.
The case started with MCPN self-reporting a data breach caused by a hacker who accessed employees’ emails and patients’ health information through a phishing attack in 2011. Following the attack, MCPN performed a risk assessment in early 2012, and additional assessments thereafter. Despite the fact that it appears that MCPN performed multiple risk assessments following the breach, OCR opined that they were “insufficient.” OCR doesn’t tell us why.

MCPN was the victim of a hacker, followed the law and reported the incident to the patients and the OCR, performed risk assessments following the incident, but seems to be getting penalized for performing them in a way OCR deems insufficient. I don’t know what that means, nor probably does any other health care provider reading the Resolution Agreement. This is unfortunate since we should all be learning from one another.

It would be very helpful to us in the field if OCR would publish a white paper or specific guidelines on exactly what the content of the risk assessment should be to pass its muster. And is that muster the same throughout all of OCR’s regions? This writer has had different experiences with different investigators in different regions.

Health care providers should be given a clear understanding of what the OCR requires in risk assessments and each region should review risk assessments with the same criteria. OCR should be working with victims of hacking instead of clobbering them with fines that take resources away from providing patient care. Working with health care entities to provide clarity around expectations and providing technical assistance  instead of vague pronouncements and a heavy stick might produce better results.