BreachExchange mailing list archives
OCR Settles with Utah Provider for $100K Over HIPAA Security Failures
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 4 Mar 2020 09:27:29 -0600
https://healthitsecurity.com/news/ocr-settles-with-utah-provider-for-100k-over-hipaa-security-failures March 03, 2020 - The provider office of Steven Porter, MD in Ogden, Utah has settled with the Department of Health and Human Services Office for Civil Rights after failing to implement certain HIPAA security requirements. Porter will pay OCR $100,000 and must adopt a corrective action plan. Porter is the sole practitioner of the medical practice and provides gastroenterological services to more than 3,000 patients each year. His settlement with OCR over potential HIPAA violations is the first announced this year. OCR launched a compliance review into the practice, after Porter filed a breach report stemming from a business associate dispute. Porter claimed his EHR vendor was impermissibly using the practice’s electronic protected health information by blocking the provider’s access until he paid the vendor $50,000. Dig Deeper West Georgia Ambulance Pays $65K OCR Settlement for HIPAA Violations Korunda Medical Pays OCR $85K for HIPAA Right of Access Failure Sentara Pays $2.2M for Failing to Properly Report Data Breach to OCR However, the investigation revealed the provider never conducted a security risk analysis of potential risks and vulnerabilities to the integrity and availability of its ePHI prior to the breach report. Porter failed to implement policies and procedures that would prevent, detect, contain, and correct security violations. The investigation also found the practice did not implement security measures that would sufficiently reduce risks and vulnerabilities to a reasonable level. Further, the practice also allowed its EHR vendor to create, receive, maintain, and transmit ePHI on behalf of the provider since at least 2013, but did not first obtain satisfactory assurances that the vendor would appropriately safeguard the data. What’s more, OCR provided Porter with “significant technical assistance” during the investigation, but the practice still did not conduct an accurate and thorough risk analysis after the breach. “All healthcare providers, large and small, need to take their HIPAA obligations seriously,” OCR Director Roger Severino, said in a statement. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” It's important to note that the Office of the National Coordinator has developed a risk assessment tool that can help providers effectively identify and assess risks to patient health data. The agreement is not an admission of liability by the provider nor a concession by HHS. Porter has agreed to the monetary settlement and a corrective action plan, including two years of monitoring by OCR. The practice will need to first complete an inventory of all electronic equipment, data systems, and applications that store all ePHI, which will then be incorporated into a thorough and accurate risk assessment of potential risks to its ePHI and include all of the provider’s facilities and systems. The risk analysis must be conducted annually and reported to OCR. The practice must also provide HHS with a risk management plan that will address and mitigate security risks and vulnerabilities identified in the risk analysis. The practice will also need to review and revise its current security management policies and procedures relating to the risk analysis and risk management plan, which must comply with HIPAA. The same process must also be applied to the provider’s business associate relationships. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- OCR Settles with Utah Provider for $100K Over HIPAA Security Failures Destry Winant (Mar 04)