Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

New OCR Settlement Targets Safety Net Provider on Security Rule Deficiencies

By Daniel Vinish, Maida Oringher Lerner, Kate M. Growley, CIPP/G, CIPP/US & Stephanie Willis on April 14, 2017
Email this postTweet this postLike this postShare this post on LinkedIn

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed an investigation that OCR undertook in response to a breach report that MCPN filed on January 27, 2012. While OCR found that MCPN took necessary corrective action in response to the reported breach, OCR determined that MCPN had never conducted a security risk analysis to assess the potential threats to its ePHI environment and concluded that MCPN did not have appropriate risk management policies in place at the time of the breach. OCR further found that the security risk analyses that MCPN ultimately did undertake following the breach were insufficient to satisfy the requirements of HIPAA’s Security Rule. Violations of the Security Rule have been a consistent focus of the OCR within the past year. The OCR’s willingness to go after a federally qualified health center, a safety net health care provider, in this settlement further underscores the importance of conducting robust security risk analyses to identify, assess, and address potential threats and vulnerabilities to a covered entity or business associate’s ePHI environments.

 

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Read more about Maida Oringher LernerEmail
Show more Show less
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate M. Growley, CIPP/G, CIPP/USEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Law Insights
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo