In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.

1. Security Management Process. The Practice is required to conduct a security risk assessment of its information systems with respect to electronic protected health information (“PHI”). The Practice must refresh the security risk assessment at least annually and more frequently if needed to respond to environmental or operational changes. Finally, the Practice must implement a risk management plan addressing risks and vulnerabilities identified in the security risk assessment.
2. Policies and Procedures. The Corrective Action Plan further requires the Practice to adopt revised policies and procedures addressing its security management process, business associate relationships, and uses and disclosures of PHI.
3. Training. Following adoption of the new policies and procedures, the Practice is required to conduct privacy and security awareness training of its workforce and conduct training annually going forward.
4. Reporting. The Practice must report to OCR any violation of its policies and procedures by a workforce member.

Significantly, the Corrective Action Plan gives OCR considerable visibility into the Practice’s operations. OCR must review and approve each step, from the initial risk assessment to the training program, before the Practice can move on to the next. OCR will have oversight of workforce violations – regardless of whether they result in a technical breach of PHI that would otherwise be reportable to OCR. Finally, OCR imposed requirements for the frequency of security risk assessments and training that are not specified in the regulations, indicating that OCR believes annual reviews are appropriate.

This investigation and settlement demonstrates that OCR will not absolve small providers of their HIPAA obligations. In OCR’s press release, OCR Director Roger Severino cautions, “All health care providers, large and small, need to take their HIPAA obligations seriously. The failure to implement basic HIPAA requirements . . . continues to be an unacceptable and disturbing trend within the health care industry.” We can expect that OCR will be equally tough on small businesses that act as HIPAA business associates to providers. All covered entities and business associates should ensure that they maintain HIPAA compliance, regardless of the size or complexity of the organization.