[BreachExchange] OCR Settles with Utah Provider for $100K Over HIPAA Security Failures

Destry Winant destry at riskbasedsecurity.com
Wed Mar 4 10:27:29 EST 2020


https://healthitsecurity.com/news/ocr-settles-with-utah-provider-for-100k-over-hipaa-security-failures

March 03, 2020 - The provider office of Steven Porter, MD in Ogden,
Utah has settled with the Department of Health and Human Services
Office for Civil Rights after failing to implement certain HIPAA
security requirements. Porter will pay OCR $100,000 and must adopt a
corrective action plan.

Porter is the sole practitioner of the medical practice and provides
gastroenterological services to more than 3,000 patients each year.
His settlement with OCR over potential HIPAA violations is the first
announced this year.

OCR launched a compliance review into the practice, after Porter filed
a breach report stemming from a business associate dispute. Porter
claimed his EHR vendor was impermissibly using the practice’s
electronic protected health information by blocking the provider’s
access until he paid the vendor $50,000.

Dig Deeper

West Georgia Ambulance Pays $65K OCR Settlement for HIPAA Violations
Korunda Medical Pays OCR $85K for HIPAA Right of Access Failure
Sentara Pays $2.2M for Failing to Properly Report Data Breach to OCR

However, the investigation revealed the provider never conducted a
security risk analysis of potential risks and vulnerabilities to the
integrity and availability of its ePHI prior to the breach report.
Porter failed to implement policies and procedures that would prevent,
detect, contain, and correct security violations.

The investigation also found the practice did not implement security
measures that would sufficiently reduce risks and vulnerabilities to a
reasonable level.

Further, the practice also allowed its EHR vendor to create, receive,
maintain, and transmit ePHI on behalf of the provider since at least
2013, but did not first obtain satisfactory assurances that the vendor
would appropriately safeguard the data.

What’s more, OCR provided Porter with “significant technical
assistance” during the investigation, but the practice still did not
conduct an accurate and thorough risk analysis after the breach.

“All healthcare providers, large and small, need to take their HIPAA
obligations seriously,” OCR Director Roger Severino, said in a
statement. “The failure to implement basic HIPAA requirements, such as
an accurate and thorough risk analysis and risk management plan,
continues to be an unacceptable and disturbing trend within the
healthcare industry.”

It's important to note that the Office of the National Coordinator has
developed a risk assessment tool that can help providers effectively
identify and assess risks to patient health data.

The agreement is not an admission of liability by the provider nor a
concession by HHS. Porter has agreed to the monetary settlement and a
corrective action plan, including two years of monitoring by OCR.

The practice will need to first complete an inventory of all
electronic equipment, data systems, and applications that store all
ePHI, which will then be incorporated into a thorough and accurate
risk assessment of potential risks to its ePHI and include all of the
provider’s facilities and systems.

The risk analysis must be conducted annually and reported to OCR. The
practice must also provide HHS with a risk management plan that will
address and mitigate security risks and vulnerabilities identified in
the risk analysis.

The practice will also need to review and revise its current security
management policies and procedures relating to the risk analysis and
risk management plan, which must comply with HIPAA. The same process
must also be applied to the provider’s business associate
relationships.


More information about the BreachExchange mailing list