In its first HIPAA settlement of 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) fined a sole practitioner $100,000 for HIPAA violations.
The gastroenterological practice, Steven A. Porter, M.D., filed a breach report with OCR in November 2013, claiming that their EHR business associate was withholding their patient’s electronic protected health information (ePHI). The practice had an outstanding bill of $50,000 with the EHR.
Although the complaint was initially filed by Porter, the OCR investigation pointed to potential HIPAA violations by Porter. Upon further investigation, OCR found that the practice had significant gaps in their HIPAA compliance program.
The investigation uncovered the following HIPAA violations:
- Failure to implement policies and procedures to prevent, detect, contain, and correct security violations.
- Failure to conduct a thorough and accurate risk analysis to identify vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failure to obtain assurances that their BA was appropriately safeguarding the ePHI that they created, received, maintained, or transmitted on behalf of the gastroenterological Practice.
How to Avoid HIPAA Violations
There were several areas in which Porter lacked sufficient measures to safeguard protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations, and their business associates, to have the following:
- Self-audits: one of the reasons that Porter was fined for HIPAA violations was failure to conduct a thorough and accurate risk analysis. However, many organizations complete the required risk analysis, while ignoring the other five required annual self-audits. Self-audits measure a practice’s business practices against HIPAA standards to ensure that there are adequate safeguards securing PHI.
- Gap identification and remediation plans: conducting self-audits allows organizations to determine where their safeguards are lacking, so that they may develop remediation plans to address deficiencies.
- Policies and procedures: Porter was also fined for failure to implement policies and procedures to safeguard PHI. Policies and procedures provide guidance to staff members on the proper uses and disclosures of PHI, limiting the risk of breaches.
- Employee training: employees must be trained annually on HIPAA standards and their organization’s internal policies and procedures.
- Business associate management: signing a business associate agreement is not enough to ensure that business associates are properly handling PHI. Covered entities are required to vet their vendors to ensure that they are protecting the PHI that they create, receive, maintain, store, or transmit on behalf of the covered entity. Many practices have signed BAAs with their vendors, but fail to vet their vendors, leaving them liable in the case of a breach and HIPAA violations.
- Incident management: organizations that experience a breach, must have means to track and manage the breach. This includes the ability for staff members to report suspected breaches anonymously.