The Department of Health and Human Services’ Office for Civil Rights (OCR) has reported the first HIPAA penalty for 2020. The settlement cost the practice of Steven A. Porter, M.D. a $100,000 financial penalty to take care of potential HIPAA Security Rule violations and will undertake a corrective action plan to tackle all aspects of noncompliance identified during the compliance investigation.
Dr. Porter’s practice in Ogden, UT offers gastroenterological treatment to over 3,000 patients. OCR started an investigation after receiving a data breach report on November 13, 2013. The breach involved Dr. Porter’s electronic medical record (EHR) firm’s business associate, which was purportedly impermissibly utilizing the electronic medical records of patients by blocking the PHI access of the practice until Dr. Porter paid it $50,000.
The breach investigation revealed the following serious HIPAA Security Rule violations of the practice:
- Dr. Porter had not carried out a risk analysis to determine risks to the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(i)
- The practice had not minimized risks to a fair and suitable level
- The practice had not enforced policies and procedures to stop, identify, control, and correct security violations.
From 2013, the practice had permitted Dr. Porter’s EHR company to generate, receive, keep or transmit ePHI for the practice, without initially obtaining acceptable assurances that the firm would enforce safety measures to make certain the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(b)
During the investigation, OCR made available substantial technical support, yet there was no risk analysis carried out after the breach and no proper security measures enforced to lessen risks to a rational and suitable level.
The financial penalty highlights the importance that healthcare companies of all sizes need to consider their duties under HIPAA very seriously. The inability to comply with fundamental HIPAA requirements, for example having a correct and comprehensive risk analysis and risk management plan, remains an unsatisfactory and troubling trend within the health care sector.