Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, settled alleged HIPAA violations of failing to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI…and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

The problem is that OCR has never provided guidance on what this phrase means. What qualifies in its opinion as an “accurate and thorough assessment?” What are security measures that are “reasonable and appropriate?” The terms are inherently subjective and could move with the facts or the particular OCR investigator.
Continue Reading OCR Levies Hefty Fine Against FQHC