$100,000 HIPAA Settlement Reached for HIPAA Violations
In its first HIPAA settlement of 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) fined a sole practitioner $100,000 for HIPAA violations.
The gastroenterological practice, Steven A. Porter, M.D., filed a breach report with OCR in November 2013, claiming that their EHR business associate was withholding their patient’s electronic protected health information (ePHI). The practice had an outstanding bill of $50,000 with the EHR.
Although the complaint was initially filed by Porter, the OCR investigation pointed to potential HIPAA violations by Porter. Upon further investigation, OCR found that the practice had significant gaps in their HIPAA compliance program.
The investigation uncovered the following HIPAA violations:
- Failure to implement policies and procedures to prevent, detect, contain, and correct security violations.
- Failure to conduct a thorough and accurate risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failure to obtain assurances that their BA was appropriately safeguarding the ePHI that they created, received, maintained, or transmitted on behalf of the gastroenterological Practice.
How to Avoid HIPAA Violations
There were several areas in which Porter lacked sufficient measures to safeguard protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations, and their business associates, to have the following:
- Self-audits: one of the reasons that Porter was fined for HIPAA violations was failure to conduct a thorough and accurate risk analysis. However, many organizations complete the required risk analysis, while ignoring the other five required annual self-audits. Self-audits measure a practice’s business practices against HIPAA standards to ensure that there are adequate safeguards securing PHI.
- Gap identification and remediation plans: conducting self-audits allows organizations to determine where their safeguards are lacking, so that they may develop remediation plans to address deficiencies.
- Policies and procedures: Porter was also fined for failure to implement policies and procedures to safeguard PHI. Policies and procedures provide guidance to staff members on the proper uses and disclosures of PHI, limiting the risk of breaches.
- Employee training: employees must be trained annually on HIPAA standards and their organization’s internal policies and procedures.
- Business associate management: signing a business associate agreement is not enough to ensure that business associates are properly handling PHI. Covered entities are required to vet their vendors to ensure that they are protecting the PHI that they create, receive, maintain, store, or transmit on behalf of the covered entity. Many practices have signed BAAs with their vendors, but fail to vet their vendors, leaving them liable in the case of a breach.
- Incident management: organizations that experience a breach, must have means to track and manage the breach. This includes the ability for staff members to report suspected breaches anonymously.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Your TBHI Professional Training Options
TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.
- Telehealth Group Therapy — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.