By Julie-Karel Elkin 

“[Metro Community Provider Network] provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.” Source:

It appears the Office for Civil Rights (OCR) considered the ability of the provider to continue indigent care in assessing the $400,000 fine but ultimately decided the failure to audit and, thus, adjust policies, procedures, and training for privacy and security was more important.

The government press release goes on to state, “On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012…

…Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.”

All providers, practice managers, and compliance staff should note that the initial problem was handled properly. Unfortunately for the network, the secondary inquiry into policies and procedures uncovered additional problems that helped to generate a larger investigation and resulted in a huge fine.

With all the uncertainty in healthcare at present, the ability of HHS and OCR to levy crushing fines remains secure. There is no good reason to risk an investigation that could put your practice out of business, so please heed the warnings and get compliant.


Julie-Karel Elkin is a Member and the Chief Compliance Officer at Spicer Rudstrom PLLC for the Nashville office. She is the head of the Health Data Privacy and Security practice and has been helping companies and practices large and small with all aspects of their compliance needs for more than 20 years. Ensuring her clients protect and secure data through better training and the sensible use of technology is at the core of her mission.