The Department of Health and Human Services’ (HHS) Office for Civil rights (OCR) issued the first HIPAA settlement for 2020. Steven A. Porter, M.D., a gastroenterological sole practitioner, has agreed to pay $100,000 to the OCR for HIPAA violations.
On November 21, 2013, Steven A. Porter, M.D. filed a breach report with the OCR claiming that their business associate (BA), Elevation43, was withholding the Practice’s electronic protected health information (ePHI) until Porter paid them for their services. However, the investigation turned on Porter when the OCR discovered significant noncompliance with HIPAA standards.
In its investigation, OCR found that the gastroenterological Practice:
- Failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
- Failed to conduct a thorough and accurate risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failed to obtain assurances that their BA was appropriately safeguarding the ePHI that they created, received, maintained, or transmitted on behalf of the gastroenterological Practice.
Avoid HIPAA fines by becoming HIPAA compliant today!
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
To read more about the HIPAA settlement click here.
HIPAA Settlement Corrective Action Plan
In addition to paying the $100,000 HIPAA fine, the gastroenterological practice must undergo a corrective action plan.
- Security Management Process
-
- Risk Analysis: Steven A. Porter, M.D. is required to conduct a thorough and accurate risk analysis to assess vulnerabilities to the confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted on the Practice’s behalf. The risk analysis must be conducted within 90 days of the Effective Date, and must be submitted to the HHS for review and approval.
-
- Risk Management: Once HHS has reviewed and approved the risk analysis conducted by Steven A. Porter, M.D., the Practice has 90 days to submit a risk management plan to the HHS for review and approval. The risk management plan must include the ways in which the Practice will address the risks and vulnerabilities identified by the risk analysis.
- Revise Policies and Procedures: Relating to conducting a risk analysis and implementing a risk management plan. The Practice must also revise policies and procedures relating to business associates. Policies and procedures must also be revised on the gastroenterological practice’s use and disclosure of ePHI.
- Training: All employees must be trained within 60 days of HHS approval of the Practice’s policies and procedures. They must retrain employees annually, and new employees must be trained within 15 days of their start date.