In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. Six of the fines announced in 2020 were principally issued for failure to comply with the HIPAA Security Rule’s requirement to conduct a security risk assessment and to track and inventory network devices. The message of OCR 2020: Keep patient records safe. 2020 fines related to HIPAA Security Rule violations are discussed below.

HIPAA Security Rule Violations

HIPAA Security Rule Violations: Risk Analysis and Risk Assessment

OCR 2020 enforcement activity began with fines for violation of the Security Rule’s administrative safeguard requirement to perform a risk analysis and risk assessment. As a practical matter, failure to perform these is the equivalent of removing a bottom card from a house of cards: if you don’t perform the assessment and management, whatever other security measures you take won’t prop you up.

HIPAA Security Rule Violations: Steven A. Porter, M.D.

Out in Ogden, Utah, the gastroenterology practice of Steven A. Porter, M.D. (patients treated per year: 3,000) had a spat with a business associate. Porter filed a breach report on November 21, 2013, with an embarrassing allegation: business associate Elevation 43, a business associate of Dr. Porter’s electronic health record (EHR) company, was impermissibly using the Practice’s patients’ electronic protected health information (“ePHI”) by blocking the Practice’s access to that ePHI. Elevation told Dr. Porter that it would be happy to restore access  – for $50,000. 

OCR’s investigation revealed that Dr. Porter’s office was in significant noncompliance with the HIPAA Security Rule, first and foremost because it failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. OCR also found that the practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The point of a risk analysis is to identify and investigate these risks and vulnerabilities. If you don’t know they exist, you obviously are not taking sufficient measures to reduce the risks to a reasonable and appropriate level. The implication of OCR’s findings is clear enough. The practice would not have been held prey to ransom in the first place had it conducted the risk analysis – crime does pay if nothing is done to prevent it. OCR dinged the practice for failing to enter into a valid business associate agreement with Elevation 43. OCR, finding the main event to be the Security Rule violation, wrangled Dr. Porter into a $100,000 fine and two-year corrective action plan.   

Let’s Simplify Compliance

Do you need help complying with the HIPAA Security Rule? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Security Rule Violations: Metropolitan Community Health Services

A couple of months later, OCR struck again, fining Metropolitan Community Health Services (Metro), a Williamston, North Carolina provider serving the underserved population in that state’s rural east, in the amount of $25,000. Back in 2011, Metro, a federally qualified health center (FQHC), filed a breach report (affected patients: 1,263) with OCR. Upon investigation, OCR found widespread, longstanding noncompliance with the HIPAA Security Rule. OCR found that Metro did not develop Security Rule policies and procedures. Metro also failed to conduct any risk analyses and neglected to provide workforce members with security awareness training until 2016. In short, Metro treated the Security Rule as if it did not exist. 

HIPAA Security Rule Violations: And Then There Were Four

The remaining four Security Rule fines cost each recipient, all of whom are large and well-known, over one million dollars.

Lifespan Affiliated Covered Entity

First up was