On March 3, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a $100,000 settlement and corrective action plan with Steven A. Porter, M.D. to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements.  Dr. Porter is a gastroenterologist in Utah. This is the first 2020 OCR HIPAA settlement announced.

In November 2013, Dr. Porter’s medical practice filed a breach report with OCR related to a dispute with a subcontractor of its electronic health records provider. The subcontractor refused to give the medical practice access to the practice’s electronic Protected Health Information (ePHI) until the practice paid the subcontractor $50,000. When OCR investigated the breach report, it found that the practice had never conducted a risk analysis at the time of the breach report and, despite significant technical assistance throughout the OCR investigation, had failed to complete an accurate and thorough risk analysis following the breach. OCR also found Dr. Porter failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The OCR specifically faulted the practice for failing to obtain satisfactory assurances from its electronic health records provider that it would appropriately safeguard the practice’s ePHI.

In addition to the $100,000 payment, the practice agreed to a corrective action plan that includes two (2) years of monitoring and a commitment that the practice will do each of the following:

• conduct a thorough and accurate risk analysis to assess vulnerabilities to the confidentiality, integrity and availability of ePHI created, received, maintained or transmitted by the practice or on its behalf.  
• submit a risk management plan to HHS.  The risk management plan must include a process and timeline for the practice’s implementation, evaluation and revision of their risk remediation activities.
• revise policies and procedures relating to business associates, including designating one or more individual(s) who are responsible for ensuring the practice enters into a business associate agreement prior to the practice disclosing ePHI to the business associate.  
• provide HHS with training materials addressing the requirements of the Privacy and Security Rules that will be used for its workforce members.

OCR enforced HIPAA’s requirements against a very small covered entity – a sole practitioner medical practice –  and this should serve as a clear warning to covered entities of all sizes that they need to take their HIPAA Privacy Rule and Security Rule obligations seriously. In the HHS press release, the OCR Director noted that “the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

This settlement provides important reminders for all HIPAA-covered entities. First, make sure to know with whom your business associates are sharing PHI. Second, confirm on a regular basis that all necessary business associate agreements are executed and being followed.  Third, perform risk assessments.  Fourth, make sure the business associates with whom the covered entity contracts have and are enforcing a business associate agreement with each of its subcontractors. Fifth, never lose complete control of your data.  Make sure to always have an up-to-date backup within your control.  Many providers are reliant on the cloud or their own in-house backup, making them subject to ransomware attacks or simple blackmail, as Dr. Porter unfortunately discovered. Finally, Dr. Porter’s problem was not only with OCR.  His practice did not have access to the ePHI needed to treat his patients. If Dr. Porter had followed best practices to ensure HIPAA compliance, Dr. Porter could have potentially avoided this entire event and the OCR investigation and settlement.