Steven A. Porter, M.D., P.C. (the “Practice”) is required to pay $100,000 and comply with a two year corrective action plan pursuant to a settlement agreement with the U.S. Department of Health and Human Services (“HHS”), and the Office for Civil Rights (“OCR”) for HIPAA violations.
The OCR investigated the Practice’s HIPAA compliance after the Practice filed a breach notification with HHS on November 21, 2013, claiming that a business associate of the Practice’s electronic health record (“EHR”) company was holding its patient records hostage until the Practice paid it $50,000, in violation of HIPAA. The complaint against this third-party led to an investigation of the Practice’s own violation of the HIPAA privacy and security rule.
The OCR determined that the Practice:
Failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its electronic protected health information (“ePHI”),
Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, and
Permitted the EHR company to create, receive, maintain or transmit ePHI on the Practices behalf without obtaining satisfactory assurances that the EHR company would appropriately safeguard the ePHI, since at least 2013.
In addition to the settlement payment, the Practice is required to comply with the two year corrective action plan from the OCR, which requires the Practice take several corrective steps and undergo monitoring of its compliance for the two year period. In addition to conducting risk assessments and adopting a risk management plan, the Practice is required to create a security management process; adopt a form business associate agreement (“BAA”); create procedures for negotiating and implementing BAAs; develop a method for assessing current and future business relationships; revise policies and procedures to ensure its workforce understand permissible and impermissible uses of PHI; train its workforce with respect to disclosing PHI to business associates and use of their applications; and regularly submit reports of each of the foregoing to the OCR. The cost of compliance plus the $100,000 settlement payment are, however, a fraction of the potential penalties for which a healthcare provider could be liable for in this case.
Important takeaways for your practice are to make sure that you:
Have a risk management plan in place
Plan and monitor compliance
Have in place BAA’s with service providers, as appropriate
Train your staff on the protection and permitted uses of PHI
As always, if you have any questions, please feel free to contact us here or call us at 585.258.2800.