A physician has agreed to pay $100,000 to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) with the Office of Civil Rights (OCR) in the Department of Health and Human Services because a business associate of the physician’s electronic health records company was blocking access to electronic protected health information until the practice paid the associate $50,000.
A copy of the settlement with Steven A. Porter, M.D., a gastroenterologist in Ogden, Utah, can be accessed by clicking here.
Dr. Porter filed a breach report with the OCR in 2013. The report claimed that a business associate of the doctor’s EHR company was “impermissibly” using the practice’s PHI by blocking access to it until the doctor paid the associate $50,000. An investigation by OCR uncovered that the doctor had not been complying with HIPAA because it failed to implement policies and procedures to prevent, detect, contain, and correct security violations. As well, the practice permitted the EHR company to create, maintain, receive, and transmit ePHI without obtaining satisfactory assurances that the information would be safeguarded.
While not admitting any wronging, Dr. Porter agreed to pay a fine of $100,000 and submit to a corrective action plan that includes conducting a thorough risk analysis, developing a risk management plan, updating its security management processes, and revising its agreements with business associates.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino, in a statement. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”