Vitalii Gulenok/istock via Getty

OCR Settles with Utah Provider for $100K Over HIPAA Security Failures

Provider Steven Porter, MD in Ogden, Utah settled with HHS OCR after failing to implement HIPAA security requirements, such as conducting a risk analysis of potential risks to patient data.

The provider office of Steven Porter, MD in Ogden, Utah has settled with the Department of Health and Human Services Office for Civil Rights after failing to implement certain HIPAA security requirements. Porter will pay OCR $100,000 and must adopt a corrective action plan.

Porter is the sole practitioner of the medical practice and provides gastroenterological services to more than 3,000 patients each year. His settlement with OCR over potential HIPAA violations is the first announced this year.

OCR launched a compliance review into the practice, after Porter filed a breach report stemming from a business associate dispute. Porter claimed his EHR vendor was impermissibly using the practice’s electronic protected health information by blocking the provider’s access until he paid the vendor $50,000.

However, the investigation revealed the provider never conducted a security risk analysis of potential risks and vulnerabilities to the integrity and availability of its ePHI prior to the breach report. Porter failed to implement policies and procedures that would prevent, detect, contain, and correct security violations.

The investigation also found the practice did not implement security measures that would sufficiently reduce risks and vulnerabilities to a reasonable level.

Further, the practice also allowed its EHR vendor to create, receive, maintain, and transmit ePHI on behalf of the provider since at least 2013, but did not first obtain satisfactory assurances that the vendor would appropriately safeguard the data.

What’s more, OCR provided Porter with “significant technical assistance” during the investigation, but the practice still did not conduct an accurate and thorough risk analysis after the breach.

“All healthcare providers, large and small, need to take their HIPAA obligations seriously,” OCR Director Roger Severino, said in a statement. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.”

It's important to note that the Office of the National Coordinator has developed a risk assessment tool that can help providers effectively identify and assess risks to patient health data.

The agreement is not an admission of liability by the provider nor a concession by HHS. Porter has agreed to the monetary settlement and a corrective action plan, including two years of monitoring by OCR.

The practice will need to first complete an inventory of all electronic equipment, data systems, and applications that store all ePHI, which will then be incorporated into a thorough and accurate risk assessment of potential risks to its ePHI and include all of the provider’s facilities and systems.

The risk analysis must be conducted annually and reported to OCR. The practice must also provide HHS with a risk management plan that will address and mitigate security risks and vulnerabilities identified in the risk analysis.

The practice will also need to review and revise its current security management policies and procedures relating to the risk analysis and risk management plan, which must comply with HIPAA. The same process must also be applied to the provider’s business associate relationships.

Dig Deeper on HIPAA compliance and regulation