A Solo Doctor Practice Received A $100,000 HIPAA Fine: What Steps Should You Take Now To Avoid Being Next?
Dr. Steven Porter has a gastroenterology practice that sees more than 3000 patients per year. In 2013, Dr. Porter reported to the OCR that a business associate was impermissibly using his practices’ electronic protected health information and blocking the practice access to vital ePHI unless a monetary fee was paid by the practice. The Office for Civil Rights (OCR) of the Department of Health and Human Services (DHHS) opened an investigation and found Dr. Porter’s practice to be significantly out of compliance with the HIPAA Privacy and Security regulations. OCR offered technical assistance to Dr. Porter’s practice; however, no steps were taken to correct the areas of HIPAA non-compliance. As a result, Dr. Steven Porter’s practice was fined $100,000.
What was Dr. Porter’s Practice Missing?
HIPAA Risk Analysis
Dr. Porter’s practice failed to conduct a thorough and complete HIPAA risk analysis before and after the identification of the issue with the business associate even after being advised to complete it thorough technical support from the OCR.
Lesson Learned: Your organization should be conducting a HIPAA Risk Analysis on a regular basis. The best practice is to conduct a HIPAA Risk Analysis on an annual basis, upon changes to regulations, and/or upon major changes in technical infrastructure.
HIPAA Risk Management Plan
Since Dr. Porter didn’t conduct a HIPAA Risk Analysis, no plan was established to mitigate and reduce the risks identified.
Lesson Learned: After you complete your HIPAA Risk Analysis, you need to establish a plan to fix the risks identified. For this plan, you will need to document how you are fixing the identified risks and create documentation to tell your story of correcting the risks identified.
HIPAA Policies and Procedures
Dr. Porter’s practice did not have specific HIPAA policies and procedures that defined the process for compliance with the HIPAA regulations.
Lesson Learned: Every organization must have organization-specific policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification regulations. It is extremely important that your policies and procedure are specific to your organization.
Establishment of Business Associate Relationship and Business Associate Agreements
Dr. Porter failed to establish the appropriate evaluation and safeguards when sharing his electronic protected health information with a third-party provider. In addition, Dr. Porter didn’t verify the security of the practice and protect PHI prior to sharing the information with the third-party vendor.
Lesson Learned: Each third-party vendor that creates, maintains, transmits, or stores electronically protected health information on your behalf needs to have an established Business Associate Agreement that defines the expectations of the use and disclosure of protected health information. In addition, an evaluation of practices of third-party vendors to protect and secure PHI should occur during the contracting process and establishment of the Business Associate Agreement.
Dr. Porter’s practice did not provide regular HIPAA education and security updates to workforce members and didn’t educate the workforce on the HIPAA privacy and security practices of the organization.
Lesson Learned: Your organization needs to conduct HIPAA training at a minimum of a yearly basis as well as provide security updates throughout the year.
OCR Director Roger Severino stated “All health care providers, large and small, need to take their HIPAA obligations seriously. The failure to implement basic HIPAA requirements, such as an accurate & thorough risk analysis and risk management plan, continues to be an unacceptable & disturbing trend within the healthcare industry."
Now is the time to take action and get your organization into HIPAA compliance! If you are ready, our revolutionary product HIPAA Autopilot can help you create a solid HIPAA Compliance Program, keeping you on track through regular HIPAA Risk Analysis, Guided HIPAA Risk Management, Customized Organization-Specific HIPAA Policies and Procedures, Business Associate Management, and HIPAA Workforce Training.
Not sure where your organization stands? Take our FREE 11 question HIPAA Check-Up. You will have instant results on your organization’s current state of HIPAA Compliance!