Interactive Counsel

Arent Fox's interactive media law blog - latest news and trends in advertising, data security & privacy, and IP.

Interactive Counsel

HIPAA Easter: OCR Continues to Censure Healthcare Providers for Overlooking the Security Rule


HIPAA Easter: OCR Continues to Censure Healthcare Providers for Overlooking the Security Rule

What’s New?

Last week, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Denver-based Metro Community Provider Network (a federally-qualified health center or FQHC) will pay $400,000 and implement a corrective action plan to settle its violations of HIPAA. The violations include failure to conduct a risk analysis and implement a corresponding risk management plan in accordance with the HIPAA Security Rule, which resulted in vulnerabilities contributing to a data breach.

Why Should You Care?

Healthcare providers typically focus their HIPAA compliance efforts on the Privacy Rule and Breach Notification Rule, often overlooking the importance of comprehensive compliance with the Security Rule. Although this HIPAA settlement may seem nominal, OCR took into account Metro Community Provider Network’s status as an FQHC serving a predominantly low income patient population. This settlement and heftier settlements of late (including a $5.5 million settlement for lack of audit controls and $5.55 million settlement for lack of comprehensive risk analysis and risk management), underscore OCR’s strong message that covered entities must conduct comprehensive risk analyses and adopt strong risk management strategies to keep electronic PHI secure. We anticipate that OCR will continue to be very active in its enforcement of the Security Rule under the Trump administration.

What’s the Takeaway?

Healthcare providers, other covered entities, and their business associates should take this opportunity to review their HIPAA compliance programs, including performing an updated risk analysis and implementing corresponding updates to their risk management plans. Covered entities and business associates that fail to adequately protect electronic PHI are exposing themselves to significant liability under HIPAA and state privacy and data security laws.

Arent Fox’s Privacy, Cybersecurity & Data Protection and Health Care groups monitor developments in HIPAA enforcement and compliance. If you have any questions, please contact Jade M. Kelly, Sarah L. Bruno, or the Arent Fox professional who usually handles your matters.


Add this blog to your RSS feed reader.

Arent Fox In Your Inbox
To subscribe to Arent Fox Alerts and other news, click here.


Arent Fox LLP, founded in 1942, is internationally recognized in core practice areas where business and government intersect. With more than 350 lawyers, the firm provides strategic legal counsel and multidisciplinary solutions to clients that range from Fortune 500 corporations to trade associations. The firm has offices in Los Angeles, New York, San Francisco, and Washington, DC.