Skip to main content

Nixon Peabody LLP

Article

Latest OCR settlement reminds HIPAA regulated entities to conduct a security risk analysis

March 10, 2020

By Valerie Montague

A medical practice’s failure to conduct a security risk analysis, failure to implement a risk management plan, and failure to execute a business associate agreement with a vendor leads to a HIPAA penalty.

On March 3, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights released a Resolution Agreement with a physician practice following allegations of HIPAA Security Rule violations.

Steven A. Porter, M.D., P.C. (the “Practice”) agreed to pay OCR $100,000 to settle the allegations, and entered into a two-year Corrective Action Plan.

In 2013, the Practice filed a breach notification with OCR regarding a dispute with the Practice’s business associate. OCR initiated a compliance review of the Practice, and found that the Practice failed to conduct a risk analysis, i.e., reviewing potential risks and vulnerabilities to its electronic protected health information. OCR also found that the Practice failed to implement security measures to mitigate or eliminate risks. Finally, OCR found that the Practice failed to enter into a business associate agreement with its electronic health records vendor.

This enforcement action is another example of OCR making an example of an entity that failed to conduct a required security risk analysis. As OCR Director Roger Severino indicated in a statement, there is a continued failure by health care entities to conduct a risk analysis and corresponding risk management plan. Entities regulated under HIPAA should ensure that their compliance plan covers not only policies and procedures and workforce training, but also the other aspects, including a periodic risk analysis.

In addition, in its release describing its settlement with the Practice, OCR indicated that it attempted to provide technical assistance to the Practice prior to entering into a settlement and financial penalty. OCR indicated that despite the “significant” assistance it provided to the Practice, the Practice still failed to complete an “accurate and thorough” risk analysis and failed to implement necessary security measures. This serves as a warning to covered entities and business associates that, if your HIPAA compliance program is not sufficient at the time of an OCR audit or investigation, you should take every opportunity available to fully implement any technical assistance provided by OCR to avoid a potential financial penalty and Corrective Action Plan.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe