Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. Latest OCR settlement reminds HIPAA regulated entities to conduct a security risk analysisArticles

    Article

    Latest OCR settlement reminds HIPAA regulated entities to conduct a security risk analysis

    March 10, 2020

    Share

    By Valerie Montague

    A medical practice’s failure to conduct a security risk analysis, failure to implement a risk management plan, and failure to execute a business associate agreement with a vendor leads to a HIPAA penalty.

    On March 3, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights released a Resolution Agreement with a physician practice following allegations of HIPAA Security Rule violations.

    Steven A. Porter, M.D., P.C. (the “Practice”) agreed to pay OCR $100,000 to settle the allegations, and entered into a two-year Corrective Action Plan.

    In 2013, the Practice filed a breach notification with OCR regarding a dispute with the Practice’s business associate. OCR initiated a compliance review of the Practice, and found that the Practice failed to conduct a risk analysis, i.e., reviewing potential risks and vulnerabilities to its electronic protected health information. OCR also found that the Practice failed to implement security measures to mitigate or eliminate risks. Finally, OCR found that the Practice failed to enter into a business associate agreement with its electronic health records vendor.

    This enforcement action is another example of OCR making an example of an entity that failed to conduct a required security risk analysis. As OCR Director Roger Severino indicated in a statement, there is a continued failure by health care entities to conduct a risk analysis and corresponding risk management plan. Entities regulated under HIPAA should ensure that their compliance plan covers not only policies and procedures and workforce training, but also the other aspects, including a periodic risk analysis.

    In addition, in its release describing its settlement with the Practice, OCR indicated that it attempted to provide technical assistance to the Practice prior to entering into a settlement and financial penalty. OCR indicated that despite the “significant” assistance it provided to the Practice, the Practice still failed to complete an “accurate and thorough” risk analysis and failed to implement necessary security measures. This serves as a warning to covered entities and business associates that, if your HIPAA compliance program is not sufficient at the time of an OCR audit or investigation, you should take every opportunity available to fully implement any technical assistance provided by OCR to avoid a potential financial penalty and Corrective Action Plan.

    PrivacyData BreachPrivacyHealth Care And HipaaHIPAA

    Practices

    Health Information - Privacy, Security, and Data Sharing

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL