Big HIPAA Fine for Solo Doctor PracticeHHS OCR Cites Major Security Shortcomings
A gastroenterologist has been smacked with a $100,000 HIPAA settlement after an investigation stemming from a 2013 breach report the practice filed related to a business associate dispute. Federal investigators determined the physician's practice had never conducted a risk analysis.
In a statement issued Tuesday, the Department of Health and Human Services' Office for Civil Rights says Steven A. Porter, M.D., who practices in Ogden, Utah, and provides services to more than 3,000 patients annually, has agreed to pay $100,000 and adopt a corrective action plan.
OCR began investigating Porter's medical practice after it filed a breach report related to a dispute with a business associate.
"OCR's investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."
Chain of Events
A resolution agreement in the case says OCR initiated a compliance review of Porter's practice following the receipt of a breach report filed by the practice in November 2013.
"The practice's breach report claimed that Elevation43, a business associate of Dr. Porter's electronic health record company, was impermissibly using the practice's patients' electronic protected health information by blocking the practice's access to such ePHI until Dr. Porter paid Elevation43 $50,000," the OCR statement says.
"OCR's investigation of the practice revealed that the practice demonstrated significant noncompliance with the HIPAA rules," OCR says.
OCR says the practice failed to implement policies and procedures to prevent, detect, contain and correct security violations.
"Specifically, the practice has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of all its ePHI," OCR says.
Further, the practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
"The practice permitted Dr. Porter's EHR company to create, receive, maintain or transmit ePHI on the practice's behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI."
OCR did not immediately respond to an Information Security Media Group inquiry, including whether the agency will investigate or issue any HIPAA enforcement actions against the business associate involved in the case.
A Utah government website for its division of corporations and commercial code indicates that Elevation43 was an advertising and related services firm whose status as a business in the state "expired" in 2017.
The EHR vendor involved in the Porter dispute was not identified in OCR's public documents in the case.
Porter's office did not immediately respond to an ISMG request for comment on the settlement.
"All healthcare providers, large and small, need to take their HIPAA obligations seriously," said OCR Director Roger Severino. "The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry."
Corrective Action Plan
Porter's office has agreed to a corrective action plan that includes:
- Conducting "an accurate and thorough" security risk analysis;
- Developing and implementing a risk management plan addressing the security risks and vulnerabilities identified in the risk analysis;
- Revising its policies and procedures relating to business associates.
The settlement with Porter's practice is the second HIPAA enforcement action revealed by OCR so far this year.
In January, OCR announced a $65,000 settlement with West Georgia Ambulance, a Georgia-based ambulance company, in a case involving "longstanding" HIPAA compliance issues.
So what can other covered entities and business associates learn from this case involving the Porter practice?
"As we have seen over the years, formal enforcement actions taken by [OCR] are littered with references to attempts they have made to work with the covered entity or business associate to take action to mitigate the effects of their failure to comply with the rules," notes privacy attorney David Holtzman of the security consulting firm CynergisTek.
That includes taking the necessary steps to adopt policies and procedures called out by the HIPAA standards to safeguard their e-PHI, he says. "Organizations should become more risk averse to the damage than can be done to their reputations and bank account by choosing to turn away offers to resolve a compliance problem before it becomes a 'federal case.'"
Additionally, any organization creating or maintaining sensitive personal information should perform an enterprisewide risk assessment to identify the threats and vulnerabilities to the confidentiality, integrity and availability to the data, Holtzman advises.
"Use the risk assessment to develop a plan of action that prioritizes those areas that pose the highest risk of compromise to the information system. Make it a management imperative in your organization to follow through on investment and attention to information security."
Vendor Risk Management
Susan Lucci, a senior privacy and security consultant at tw-Security says the case also provides critical lessons about business associate relationships.
"You cannot forget to vet and communicate with your business associates," she says.
"Ongoing communication can set expectations and provide assurances that they are aligned with your level of compliance. This is an ongoing process, not a once and done. As attacks evolve, so too, should your defense strategy."
Big Fine for Small Practice?
Lucci questions the size of the financial penalty in the case.
"Over a year ago, OCR announced they would reduce the penalty amounts levied," Lucci notes (see HHS Lowers Some HIPAA Fines).
"It's counter-productive to get healthcare on board with compliance when they levy high penalties. The corrective action plan always follows the penalty and there is an expense tied to that. All in healthcare have a budget, and if the OCR assesses overly burdensome penalties then what will suffer - patient care, services, staffing? Certainly organizations who have not made strong efforts to comply with data protection should have consequences, but a more balanced approach of achieving the goal is what is needed."
Holtzman says OCR must strive to make the amount of a financial penalty "meaningful while leaving the healthcare provider able to continue its mission of care."
The HIPAA Enforcement Rule requires OCR to take into account an organization's financial condition or their ability to pay a fine or penalty, he adds.
"When assessing the amount of a civil monetary penalty that could be levied for violations of the HIPAA standards, OCR will review information from the covered entity or business associate of the organization's size, if the entity has had financial difficulties that affected its ability to put into place the processes or technologies needed to safeguard its PHI, and whether the imposition of a fine or penalty would jeopardize the continued provision of treatment services or paying for healthcare."