First HIPAA Penalty of 2020 Announced by HHS’ Office for Civil Rights

The first HIPAA penalty of 2020 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR) and has been sanctioned against the medical practice of Steven A. Porter, M.D.

The practice has agreed to pay a fine of $100,000 to resolve possible breaches of the HIPAA Security Rule and will implement a corrective action plan to tackle all areas of noncompliance discovered during the compliance audit.

Dr. Porter’s medical practice is based in Ogden, UT  gastroenterological services are provided to over 3,000 patients. OCR kicked off an investigation after a report of a data breach on November 13, 2013. The breach involved a business associate of Dr. Porter’s electronic medical record (EHR) company allegedly impermissibly using patients’ electronic medical records by preventing the practice’s access to ePHI until Dr. Porter paid the company $50,000.

The breach investigation found serious breaches of the HIPAA Security Rule at the practice. When the audit took place, Dr. Porter had never completed a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(i). The practice had not lowered risks to a reasonable and appropriate level, and had not put in place policies and procedures to stop, find, contain, and address security violations.

Since at least 2013, the practice had permitted Dr. Porter’s EHR company to create, receive, maintain, or share ePHI on behalf of the practice, without first being given assurances that the company would implement security measures ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).

Throughout the duration of the investigation, OCR gave major technical assistance, yet a risk analysis was not carried out after the breach and appropriate security measures were not put in place to lower risks to a reasonable and appropriate level.

The financial penalty sends a message to other healthcare providers that they should take their responsibilities under HIPAA seriously. OCR Director, Roger Severino said: “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

Author: Maria Perez