The Department of Health and Human Services Office of Civil Rights (HHS OCR) recently settled with a notable covered entity – a nonprofit Federally Qualified Community Health Center (FQHC) – over alleged Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. FQHC’s generally serve underserved populations, and qualify for enhanced reimbursement from Medicare and Medicaid. The Denver-based FQHC, Metro Community Provider Network (MCPN), provides medical, dental, and behavioral care to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. MCPN has agreed to pay $400,000 to HHS and implement a Corrective Action Plan (CAP).

This settlement highlights how long HHS OCR investigations can take (five years from investigation start to settlement); how broad HHS OCR targets are (FQHCs are not safe from scrutiny); and just how onerous corrective action can be after an investigation (see below).

Breach and Subsequent Investigation

MCPN self-reported that a hacker obtained the electronic protected health information (ePHI) of 3,200 individuals through a phishing incident. HHS OCR then launched a five-year investigation which alleged that:

  • Prior to the incident, MCPN allegedly failed to conduct a risk analysis on its ePHI environment, in violation of the HIPAA Privacy and Security Rules;
  • After the incident, MCPN allegedly failed to conduct a risk analysis for two months after discovery of the incident; and
  • The alleged failure to perform risk analyses consequently meant that MCPN had not implemented corresponding risk management plans.

In addition to the $400,000 settlement, MCPN’s CAP, which follows how HHS OCR commonly structures CAPs, requires MCPN to take certain actions, including some highlighted below, for at least three years:

  • Conduct an HHS-approved Risk Analysis and implement a Risk Management Plan
  • Review and revise its Security Rule policies, procedures, and training based on the Risk Analysis
  • Report to HHS any workforce members’ failure to comply with its policies and procedures
  • Submit an Implementation Report and Annual Reports to HHS


Investigations can be long and they can lead to CAPs that require an enormous amount of oversight and work. Risk analyses and the subsequent implementation of risk management plans are critical for HIPAA compliance, and organizations should be proactive about dutifully conducting them.