Two recent settlements show that the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), the agency that enforces HIPAA, is not going easy on smaller health care providers who fail to pay attention to HIPAA compliance. Both providers signed Resolution Agreements, paid settlements, and are subject to corrective action plans, with OCR oversight for two years.
Sole Practitioner in Utah Failed its Risk Analysis
In March, 2020, OCR announced a $100,000 settlement with Steven A. Porter, M.D., a gastroenterologist in Ogden, Utah with over 3,000 patients. The Stephen A. Porter medical practice also was required to enter a corrective action plan that includes two years of monitoring by OCR.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
Federally Qualified Health Center in North Carolina Missed on the Security Rule
In July, 2020, OCR announced a $25,000 settlement with Metropolitan Community Health Services (Metro), doing business as Agape Health Services. Although $25,000 seems modest compared to some other recent settlements, given its status as a Federally Qualified Health Center (FQHC), the amount is significant. Metro provides a variety of discounted medical services to the underserved population in rural North Carolina. Metro was found to have potential violations of the HIPAA Security Rule.
OCR also required Metro to adopt a corrective action plan which includes two years of monitoring by OCR.
What Went Wrong – Hint: Risk Analysis was Missing
Stephen A. Porter Medical Practice – An OCR investigation began after Dr. Porter’s medical practice filed a breach report related to a dispute with a business associate.
OCR’s investigation found that Dr. Porter had never conducted a Risk Analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough Risk Analysis after the breach and failed to implement a Risk Management Plan.
Metropolitan Community Health Services – In 2011, Metro filed a breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients.
OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any Risk Analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.
HIPAA Risk Analysis – Risk Management is Fundamental
In both cases, the Risk Analysis was missing, and follow-up with the Risk Management plan that flows from it. Providers must have policies of course, but HIPAA compliance is not a “check the box” exercise. True HIPAA Risk Analysis – Risk Management is the heart of HIPAA compliance, and everything follows from there. In the case of Metro, the Risk Analysis would have uncovered the Security Rule issues, and would have provided corrective measures to improve compliance.
Risk Analysis does NOT have to be hard, and you don’t need to hire an expensive consultant to do the work. In fact, if you or your staff do it yourselves, you’ll understand it better and create a culture of compliance that will strengthen your organization.
The HIPAA E-Tool® has a step-by-step Risk Analysis module designed for a practice manager without special HIPAA knowledge to handle. We created it to put control and knowledge into the hands of providers themselves. And professional advice/customer service for subscribers is a phone call away.
Don’t overpay or hire expensive consultants when you can do a better job, on your own, with The HIPAA E-Tool®.