Last week, the Office for Civil Rights (OCR) released a statement regarding its settlement with the practice of Steven A. Porter, M.D. (the Practice) in Ogden, Utah, which provides gastroenterological services to over 3,000 patients per year. Within the agreement, the Practice has agreed to pay a substantial fee and adopt a corrective action plan in order to be HIPAA compliant.
Initial breach and compliance review
The Practice initially filed a breach report with OCR November 2013 related to a dispute with one of its business associates (BA), Elevation43. According to the breach report, Elevation43 misused the Practice’s electronic protected health information ( ePHI) by blocking Dr. Porter’s access until the Practice paid $50,000. An OCR compliance review conducted following the breach report found that the Practice was in violation of several HIPAA rules: “Dr. Porter never conducted a risk analysis investigation at the time of the breach report, and…had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” At this time, no information has been released regarding the original breach report and Elevation43.
Agreement termsAs part of the settlement, the Practice agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 as well as put an agreed upon corrective action plan into place within a given amount of time. As stated in the corrective action plan, it is necessary for the Practice to:
- Conduct an accurate and thorough risk assessment immediately and annually (or as needed)
- Create a risk management plan to reduce identified risks as well as vulnerabilities
- Revise current policies and procedures related to the risk analysis, BA relationships, and the use and disclosure of ePHI
- Revise and update policies and procedures regarding employee training while ensuring their implementation
- Promptly investigate all matters
- Submit written reports to OCR during the corrective action plan period, and after as asked.
What is the lesson in this?This settlement is the second OCR agreement in 2020—the first a $65,000 settlement with West Georgia Ambulance—demonstrating that HHS has no plans to stop holding healthcare organizations accountable for HIPAA noncompliance. “All health care providers, large and small, need to take their HIPAA obligations seriously,” states OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” Related: Personally Identifiable Information: HIPAA Compliance Key Facts Several lessons are clear from this settlement:
- Do your due diligence to be HIPAA compliant
- Take the necessary steps to adopt strong policies and procedures to safeguard data
- Perform risk assessments and develop an action plan to mitigate risks as well as vulnerabilities
- If utilizing BAs, know who they are and ensure their compliance—employ business associate agreements.
Failure to follow and comply with HIPAA creates unnecessary threats to patients and healthcare organizations that risk damage to reputations and financial accounts. HHS is serious about HIPAA compliance as should all healthcare organizations.