Provided by:  Jennifer Kirschenbaum, Esq.
March 5, 2020
 
 
Question:

Jennifer,
 
I've seen a few programs advertised for HIPAA changes.  Is there anything new with HIPAA I should know about?

Thanks, Dr. K 
 

Answer:

No and Yes.  The laws haven't changed, however, enforcement actions tell the story of evolving enforcement, and therefore, evolving expected preventative measures.  Take the enforcement action published on Tuesday (March 3, 2020), there, a Gastroenterologist with a respectable solo practice (3,000 active patients), voluntarily reported a breach by a business associate.  As a result of his compliance and making the breach reporting he was fined $100,000 for not performing a risk assessment at the time of the reporting.  What is the message to take from this?  The stakes have changed.  Preventative is not a recommendation, it is a requirement.  Every practice must perform a Security Risk Assessment and implement a Security Policy and HIPAA compliance program, which requires IT involvement and legal.  

We recently conducted a webinar on Security Risk Assessment, available here.  If you have questions or concerns about your HIPAA compliance program, and Security Risk Assessment process, let us know and we can set up a consult time (at no charge) to discuss.  


 

Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements

The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah. 

OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” 

In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.