Dr. Steven A. Porter, M.D., P.C. (Dr. Porter’s Practice) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $100,000 no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
OCR initiated an investigation into Dr. Porter’s Practice after it filed a breach report with OCR related to a dispute with a business associate, Elevation43. Elevation43 was a business associate of Dr. Porter’s Practice’s electronic health record (EHR) vendor. Dr. Porter’s Practice alleged that Elevation43 was impermissibly using patients’ electronic protected health information (ePHI) by blocking Dr. Porter’s Practice from accessing said ePHI. OCR’s investigation revealed that Dr. Porter’s Practice failed to:
- Implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, Dr. Porter’s Practice failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, Dr. Porter’s Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Dr. Porter’s Practice permitted Dr. Porter’s electronic health record (EHR) company to create, receive, maintain, or transmit ePHI on Dr. Porter’s Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.
As a reminder, the HIPAA Privacy Rule allows covered entities to disclose ePHI to business associates if the covered entity obtains satisfactory assurances that the business associate will (1) use the ePHI only for the purposes for which it was engaged by the covered entity, (2) safeguard the ePHI from misuse, and (3) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. A business associate may permit a subcontractor to create, receive, maintain, or transmit ePHI on its behalf only if the business associate obtains satisfactory assurances from the subcontractor that the subcontractor will appropriately safeguard the ePHI.