HHS’ Office for Civil Rights Announces First HIPAA Penalty of 2020
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first HIPAA penalty of 2020. The practice of Steven A. Porter, M.D., has agreed to pay a financial penalty of $100,000 to resolve potential violations of the HIPAA Security Rule and will adopt a corrective action plan to address all areas of noncompliance discovered during the compliance investigation.
Dr. Porter’s practice in Ogden, UT provides gastroenterological services to more than 3,000 patients. OCR launched an investigation following a report of a data breach on November 13, 2013. The breach concerned a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.
The breach investigation uncovered serious violations of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(i), the practice had not reduced risks to a reasonable and appropriate level, and had not implemented policies and procedures to prevent, detect, contain, and correct security violations.
Since at least 2013, the practice had allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without first receiving satisfactory assurances that the company would implement safeguards to ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).
Throughout the course of the investigation, OCR provided significant technical assistance, yet a risk analysis was not conducted after the breach and appropriate security measures were not implemented to reduce risks to a reasonable and appropriate level.
The financial penalty shows that healthcare providers of all sizes must take their responsibilities under HIPAA seriously. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry,” said OCR Director, Roger Severino.