Metro Community Provider Network, a federally-qualified health center, has agreed to pay $400,000 and implement a corrective action plan to settle potential noncompliance with the Health Insurance Portability and Accountability Act privacy and security rules, the Department of Health and Human Services’ Office for Civil Rights announced today. The health center filed a breach report with OCR in January 2012 indicating that a hacker accessed employees' email accounts and obtained electronic protected health information for 3,200 individuals through a phishing incident. “Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis,” OCR said. “When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.” For more on the HIPAA Security Rule, see the OCR guidance and AHA’s online resources.