Accurately and Thoroughly Conduct a HIPAA Security Risk Analysis – Or Risk a $100,000 Fine (or More)

Dickinson Wright

Dickinson Wright

On the surface, it seems like an obvious choice – follow the law and avoid the risk of a hefty fine – but health care providers may learn the hard way that implementing HIPAA Security Rule requirements is, in fact, more complicated than it might first seem.

According to a recent U.S. Department of Health and Human Services (OCR) settlement, a gastroenterology medical practice was fined $100,000 after an investigation by the OCR revealed that the practice had not taken the necessary precautions when reporting a breach related to a dispute with a business associate.[1] The investigation also uncovered that despite the practice having significant technical assistance throughout the investigation, it failed to accurately and thoroughly conduct a risk analysis after the breach.

HIPAA Security Rule Section 164.308(a)(1), a rule that this practice violated, deals with risk analysis and management and requires all health care providers to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”[2]  This requirement is one of the many administrative and technical requirements under the Security Rule.

In addition to the $100,00 fine, Dr. Porter also pledged to adopt a corrective action plan to settle the violation of the HIPAA  Security Rule.

Though completely avoidable, Dr. Porter’s violation is unfortunately not that uncommon in today’s digital world. Federal and state laws governing the privacy and security of health information affect nearly every participant in the health care industry and understanding these laws can be complicated. However, failing to comply with them can be costly.

Covered Entities and Business Associates are required by law to implement the HIPAA Security Rule, which includes (but is not limited to) conducting a security risk assessment.  When in doubt, contact an attorney experienced in patient privacy and security matters to ensure compliance.

[1] (accessed March 5, 2020).

[2] (accessed March 5, 2020).

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson Wright | Attorney Advertising

Written by:

Dickinson Wright

Dickinson Wright on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide