Latest OCR settlement reminds HIPAA-regulated entities to conduct a security risk analysis

BY Valerie Breslin Montague

On March 3, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights released a Resolution Agreement with a physician practice following allegations of HIPAA Security Rule violations.

Steven A. Porter, M.D., P.C. (the “Practice”) agreed to pay OCR $100,000 to settle the allegations, and entered into a two-year Corrective Action Plan.

In 2013, the Practice filed a breach notification with OCR regarding a dispute with the Practice’s business associate. OCR initiated a compliance review of the Practice, and found that the Practice failed to conduct a risk analysis, i.e., reviewing potential risks and vulnerabilities to its electronic protected health information. OCR also found that the Practice failed to implement security measures to mitigate or eliminate risks. Finally, OCR found that the Practice failed to enter into a business associate agreement with its electronic health records vendor.

This enforcement action is another example of OCR making an example of an entity that failed to conduct a required security risk analysis. As OCR Director Roger Severino indicated in a statement, there is a continued failure by health care entities to conduct a risk analysis and corresponding risk management plan. Entities regulated under HIPAA should ensure that their compliance plan covers not only policies and procedures and workforce training, but also the other aspects, including a periodic risk analysis.

In addition, in its release describing its settlement with the Practice, OCR indicated that it attempted to provide technical assistance to the Practice prior to entering into a settlement and financial penalty. OCR indicated that despite the “significant” assistance it provided to the Practice, the Practice still failed to complete an “accurate and thorough” risk analysis and failed to implement necessary security measures. This serves as a warning to covered entities and business associates that, if your HIPAA compliance program is not sufficient at the time of an OCR audit or investigation, you should take every opportunity available to fully implement any technical assistance provided by OCR to avoid a potential financial penalty and Corrective Action Plan.

author img


Valerie Breslin Montague


Posts By this author