Single doctor practice fined $100,000 for violations.
A gastroenterology practice in Utah reached a settlement of $100,000 last week for failing to ever conduct a risk analysis. In a statement issued by the Office for Civil Rights (OCR), Steven A. Porter, M.D., has agreed to pay the $100,000 settlement and adopt a plan for corrective action. Unfortunately, this type of HIPAA fine is avoidable with appropriate steps.
Dr. Porter’s office had filed a breach report related to a dispute with a business associate. The resulting investigation revealed that Dr. Porter had never conducted a risk analysis. He also failed to implement sufficient security measures to reduce risks and vulnerabilities to a “reasonable and appropriate level.” Read the entire story here.
HIPAA Fines on the Rise
HIPAA fines in the fourth quarter of 2019 increased from past periods. For instance, the University of Rochester Medical Center reached a settlement for $3 million in November 2019. Reports say that they had failed to encrypt mobile devices containing PHI (protected health information).
There were other settlements that exceeded $1 million but there were also penalties issued to smaller firms. For example, a dental office agreed to a $10,000 settlement for responding to a Yelp review and revealing a patient’s last name and details of their dental health.
An ambulance company that lost a laptop containing patient data, reached a $65,000 settlement. Unfortunately, the laptop did not have an encrypted hard drive which resulted in the violation and subsequent penalty.
OCR – Office of Civil Rights
The Office of Civil Rights (OCR) is a division of the Department of Human Services. They are responsible, among other things, for the enforcement of HIPAA. In the past, small practices and companies were not often in the headlines for having to pay out for HIPAA violations. Federal funding cuts to the OCR likely have begun to impact their budget resulting in this shift. Payments of penalties are now the primary revenue source for the OCR.
HIPAA Risk Assessments
A key step in meeting HIPAA regulations to have a Risk Analysis or Assessment completed. It will allow you to know where you stand and what needs attention to be HIPAA compliant. Although HIPAA has some gray areas, it is clear that “willful neglect” will be punished with the most severe penalties. Conducting a Risk Assessment demonstrates that you are at least attempting to comply.
The doctor in Utah likely would have avoided a penalty had he put this practice in place. Additionally, the ambulance company mentioned above would have avoided a penalty had they implemented a technology called Bitlocker. This program encrypts the data stored on a device’s hard drive and it comes standard with Windows 10 Professional.
RSPN offers a HIPAA Risk Assessment that includes a scan of technical resources to compare current network security with HIPAA guidelines. Also included in our assessment is an evaluation of the written policies for HIPAA compliance in your business. You will have a clear understanding of how to meet these standards when you complete our HIPAA Risk Assessment.
Contact us today to schedule an assessment for your business. It may be the step that you take to avoid devastating penalties.