A Solo Practitioner Calls Foul On A Business Associate And Gets Nabbed For HIPAA Risk Analysis Failure.
File this one under “before you call the feds, make sure your own HIPAA house is in order.”
Following a dispute with a Business Associate, an Ogden, Utah, medical practice was fined $100,000 for failing to conduct a Risk Analysis. The practice also agreed to adopt a corrective action plan.
Risk Analysis FailureWas Never Part Of The Complaint
After things started to fall apart between gastroenterologist Stephen A. Porter, M.D., and his Electronic Health Records provider, Elevation43, the physician filed a Breach Complaint with the Office For Civil Rights (OCR), the federal agency responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) complaints.
In his complaint, Porter said that Elevation43 was impermissibly using the Porter’s patient electronic protected health information (“ePHI”) by blocking the practice’s access to such ePHI until Dr. Porter paid Elevation43 $50,000.
This case is significant because Porter’s practice is a tiny, one-physician operation. That means, the OCR, as we’ve reported in the past, does not distinguish between large and small Covered Entities and Business Associates.
Feds Identify HIPAA Risk Analysis Failure
During its investigation, OCR determined that Porter’s practice had:
- failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
- allowed Elevation43 to create, receive, maintain, or transmit ePHI on the Practice’s behalf, at least since 2013, without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.
In its findings, OCR noted that, despite providing significant technical assistance to Porter’s practice during the investigation, no accurate or thorough risk analysis was conducted after the alleged breach.
HIPAA Risk Analysis failure is a growing trend
The OCR’s director criticized Porter’s practice and the healthcare industry, in general, for its “unacceptable and disturbing” failure to follow federal risk analysis guidance.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
The complete resolution agreement is available here.
When’s the last time you conducted a thorough Risk Analysis for your practice? Not sure? We can help.