$100,000 HIPAA Fine Imposed on Physician Practice for Security Rule Violations

A $100,000 HIPAA fine has been imposed on a solo physician practice for HIPAA Security Rule failures discovered by the Department of Health and Human Services’ Office for Civil Rights (OCR) during an investigation of a data breach related to a dispute between the practice and one of its business associates.

Steven A. Porter, M.D, a gastroenterologist in Ogden, UT, runs a practice serving around 3,000 patients. Dr. Porter submitted a data breach report to OCR in 2013 when his electronic medical record company, Elevation43, blocked access to the electronic protected health information (ePHI) of patients until a $50,000 bill was paid. Dr. Porter alleged Elevation24 was impermissibly using the practice’s health records.

OCR investigated the breach and discovered the practice had not conducted a risk analysis prior to the OCR investigation. In an announcement about the HIPAA fine, OCR said the practice had” demonstrated significant noncompliance with the HIPAA rules,” which warranted a financial penalty.

OCR provided “significant technical assistance,” but even after the breach, the practice failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all its ePHI. The practice also failed to implement security measures to reduce risks and vulnerabilities to a reason and appropriate level, as required by the HIPAA Security Rule. OCR also said the practice had permitted Elevation24 to create, receive, maintain or transmit ePHI on the practice’s behalf at least since 2013, yet the practice had not received satisfactory assurances that Elevation24 would safeguard ePHI.

In addition to paying the $100,000 penalty, the practice has agreed to a corrective action plan to address the HIPAA failures and will be monitored closely by OCR for 2 years.

There are lessons to be learned from this HIPAA penalty. OCR prefers to work with covered entities to help them correct any compliance issues and often provides technical assistance to help covered entities bring their compliance programs up to the required standard. When that assistance is provided, it is essential for covered entities to act on that advice quickly.

This is yet another case where risk analysis failures have been found. The risk analysis is an essential part of ensuring that ePHI is safeguarded, yet many covered entities fail to conduct a risk analysis, do not conduct risk analyses regularly, or conduct risk analyses but do not cover the entire organization. If in doubt about what a risk analysis should entail, seek advice from compliance specialist.

“All healthcare providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”