In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.
According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.
In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.
Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability