On the surface, it seems like an obvious choice – follow the law and avoid the risk of a hefty fine – but health care providers may learn the hard way that implementing HIPAA Security Rule requirements is, in fact, more complicated than it might first seem.
According to a recent U.S. Department of Health and Human Services (OCR) settlement, a gastroenterology medical practice was fined $100,000 after an investigation by the OCR revealed that the practice had not taken the necessary precautions when reporting a breach related to a dispute with a business associate. The investigation also uncovered that despite the practice having significant technical assistance throughout the investigation, it failed to accurately and thoroughly conduct a risk analysis after the breach.
HIPAA Security Rule Section 164.308(a)(1), a rule that this practice violated, deals with risk analysis and management and requires all health care providers to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” This requirement is one of the many administrative and technical requirements under the Security Rule.
In addition to the $100,00 fine, Dr. Porter also pledged to adopt a corrective action plan to settle the violation of the HIPAA Security Rule.
Though completely avoidable, Dr. Porter’s violation is unfortunately not that uncommon in today’s digital world. Federal and state laws governing the privacy and security of health information affect nearly every participant in the health care industry and understanding these laws can be complicated. However, failing to comply with them can be costly.
Covered Entities and Business Associates are required by law to implement the HIPAA Security Rule, which includes (but is not limited to) conducting a security risk assessment. When in doubt, contact an attorney experienced in patient privacy and security matters to ensure compliance.
https://www.hhs.gov/about/news/2020/03/03/health-care-provider-pays-100000-settlement-ocr-failing-implement-hipaa.html (accessed March 5, 2020).
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf (accessed March 5, 2020).