OCR has settled a complaint against a covered entity for violations that first occurred prior to November, 2013, but continued thereafter.
Yes, 2013. That’s when Steven A. Porter, M.D., first reported a breach to OCR that involved his business associate Elevation43. According to the complaint Porter filed at the time, and as described by OCR, the business associate was holding the doctor’s patients’ EHR hostage until the doctor paid them $50,000. But that’s not what the settlement was about in this case. When OCR started investigating Porter’s complaint and report, they found that he had not conducted an appropriate risk assessment, as required by HIPAA, and had not had adequate security controls in place. And therein lies the heart of the matter.
As OCR explains in their press release:
The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.
OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.
So it appears that there might not have been any monetary penalty at all or corrective action plan if the doctor had complied and conducted a decent risk assessment and implemented what OCR considered to be appropriate security measures.
And what will Dr. Porter’s patients think now if they read about this settlement in the news? How does it look that a doctor seemingly refuses to comply with OCR on conducting an adequate risk assessment and implementing appropriate security controls? Would you feel confident that the doctor was adequately protecting your PHI? The resolution contains no admission of any guilt, but what is the public perception?
And what, if anything were the consequences for Elevation43 who were accused of holding the EHR until payment was made? Nothing in the complaint/resolution discusses any actions taken against them. A search on the company’s name reveals that they voluntarily dissolved in as of 02/16/2017.