First HIPAA Settlement of 2020 – A Reminder to Providers Large and Small
On March 3, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced the first HIPAA enforcement act of 2020. The medical practice of Stephen A. Porter, M.D. agreed to pay $100,000 and adopt a corrective action plan in response to an OCR investigation into the practice’s compliance with the HIPAA Security Rule.
The enforcement action stemmed from the practice’s breach report involving a dispute with a business associate. As part of OCR’s investigation of the breach, the practice was unable to show that, at the time of the breach report, it had conducted a security risk analysis, a longstanding requirement of the HIPAA Security Rule. OCR offered technical assistance to the practice—essentially giving the practice a second opportunity to come into compliance with the HIPAA Security Rule. However, the practice still failed to conduct a thorough risk analysis to identify threats and vulnerabilities to protected health information (“PHI”).
This enforcement action serves as yet another reminder that covered entities and business associates must conduct and periodically update a security risk analysis in accordance with the HIPAA Security Rule. OCR Director Roger Severino noted in the press release that “[t]he failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” As technology evolves and organizations adopt innovative ways to store, access, and maintain electronic PHI, the risks to the ePHI must not only be identified, but also included in the organization’s risk mitigation plan.