A $100,000.00 Kick in the Gut
We interact with enough providers every week to know that nobody wants to have to worry about the Health Insurance Portability and Accountability Act (HIPAA). It’s not fun, and it’s not sexy. But it’s important. Remember the four-quadrant Urgency/Importance grid that Steven Covey made popular? HIPAA and its components are important, but not necessarily urgent… unless the Office of Civil Rights comes knocking because you’ve had a breach. Then it’s on fire. Take this example as a cautionary tale.
On March 3, 2020, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) published a press release regarding an individual provider’s HIPAA happenings (or lack thereof) and why he was fined $100K.
|Health care provider pays $100,000 settlement to OCR for failing to implement HIPAA Security Rule requirements
The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.
OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report. Despite significant technical assistance throughout the investigation, Dr. Porter failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found here.
We urge you to navigate to the hyperlink above and review the agreement this provider was forced to enter into because of the alleged weaknesses in his HIPAA program. As you will read from the report of what happened, this originated out of a dispute with a Business Associate that caused a breach. It’s easy to ignore some of the regulatory necessities like HIPAA… until something happens. Now the provider’s pocket is light by $100k and he is under the watchful eye of a monitor for two years. All of this could have been avoided by simply implementing the required elements.
This provider allegedly… ”failed to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan.” As we conduct HIPAA desk reviews and analysis requested by providers, one of the most common missing elements is a properly conducted annual risk assessment. Like any type of internal, self-audit, things will turn up. That’s OK! Now we can act and provide a management plan to address them. Turning a blind eye, never looking or reviewing risk is not the way to handle something as important as patients’ privacy and the security of their health records.
We suggest, to make your HIPAA life happy, that you review your current HIPAA program with a certified specialist. Allow us to review what you have and identify gaps that could leave you vulnerable. You can review these options with a KMC University Discovery Consultation.
Comments on HIPAA Heartburn