HIPAA compliance fines

Small Providers Pay Big Settlements for HIPAA Violations

Two recent settlements show that the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency that enforces HIPAA, is not going easy on smaller health care providers who fail to pay attention to HIPAA compliance. Both providers signed Resolution Agreements, paid settlements, and are subject to corrective action plans, with OCR oversight for two years.

Sole Practitioner in Utah Failed its Risk Analysis

In March, 2020, OCR announced a $100,000 settlement with Steven A. Porter, M.D., a gastroenterologist in Ogden, Utah with over 3,000 patients. The Stephen A. Porter medical practice also was required to enter a corrective action plan that includes two years of monitoring by OCR.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

Federally Qualified Health Center in North Carolina Missed on the Security Rule

In July, 2020, OCR announced a $25,000 settlement with Metropolitan Community Health Services (Metro), doing business as Agape Health Services. Although $25,000 seems modest compared to some other recent settlements, given its status as a Federally Qualified Health Center (FQHC), the amount is significant. Metro provides a variety of discounted medical services to the underserved population in rural North Carolina. Metro was found to have potential violations of the HIPAA Security Rule.

OCR also required Metro to adopt a corrective action plan which includes two years of monitoring by OCR.

What Went Wrong – Hint: Risk Analysis was Missing

Stephen A. Porter Medical Practice – An OCR investigation began after Dr. Porter’s medical practice filed a breach report related to a dispute with a business associate.

OCR’s investigation found that Dr. Porter had never conducted a Risk Analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough Risk Analysis after the breach and failed to implement a Risk Management Plan.

Metropolitan Community Health Services – In 2011, Metro filed a breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients.

OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any Risk Analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.

HIPAA Risk Analysis – Risk Management is Fundamental

In both cases, the Risk Analysis was missing, and follow-up with the Risk Management plan that flows from it. Providers must have policies of course, but HIPAA compliance is not a “check the box” exercise.  True HIPAA Risk Analysis – Risk Management is the heart of HIPAA compliance, and everything follows from there. In the case of Metro, the Risk Analysis would have uncovered the Security Rule issues, and would have provided corrective measures to improve compliance.

Risk Analysis does NOT have to be hard, and you don’t need to hire an expensive consultant to do the work. In fact, if you or your staff do it yourselves, you’ll understand it better and create a culture of compliance that will strengthen your organization.

The HIPAA E-Tool® has a step-by-step Risk Analysis module designed for a practice manager without special HIPAA knowledge to handle. We created it to put control and knowledge into the hands of providers themselves. And professional advice/customer service for subscribers is a phone call away.

Don’t overpay or hire expensive consultants when you can do a better job, on your own, with The HIPAA E-Tool®.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free