HIPAA Horror Stories

HIPAA Risk Analysis Failure: Showdown in Ogden

one-minute read

A Solo Practitioner Calls Foul On A Business Associate And Gets Nabbed For HIPAA Risk Analysis Failure.

File this one under “before you call the feds, make sure your own HIPAA house is in order.”

Following a dispute with a Business Associate, an Ogden, Utah, medical practice was fined $100,000 for failing to conduct a Risk Analysis. The practice also agreed to adopt a corrective action plan.

Risk Analysis FailureWas Never Part Of The Complaint

After things started to fall apart between gastroenterologist Stephen A. Porter, M.D., and his Electronic Health Records provider,  Elevation43, the physician filed a Breach Complaint with the Office For Civil Rights (OCR), the federal agency responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) complaints.

In his complaint, Porter said that Elevation43 was impermissibly using the Porter’s patient electronic protected health information (“ePHI”) by blocking the practice’s access to such ePHI until Dr. Porter paid Elevation43 $50,000.

This case is significant because Porter’s practice is a tiny, one-physician operation. That means, the OCR, as we’ve reported in the past, does not distinguish between large and small Covered Entities and Business Associates.

Feds Identify HIPAA Risk Analysis Failure

During its investigation, OCR determined that Porter’s practice had:

  • failed to implement policies and procedures to prevent, detect, contain, and correct security violations.
  • allowed Elevation43 to create, receive, maintain, or transmit ePHI on the Practice’s behalf, at least since 2013, without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.

In its findings, OCR noted that, despite providing significant technical assistance to Porter’s practice during the investigation, no accurate or thorough risk analysis was conducted after the alleged breach.

HIPAA Risk Analysis failure is a growing trend

The OCR’s director criticized Porter’s practice and the healthcare industry, in general, for its “unacceptable and disturbing” failure to follow federal risk analysis guidance.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino.  “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

The complete resolution agreement is available here.

When’s the last time you conducted a thorough Risk Analysis for your practice? Not sure? We can help.

Photo by Luis Gutierrez on Unsplash


The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free