$100,000 HIPAA Settlement With Solo Physician Practice
Friday, March 20, 2020
privacy concerns with patient records
Print Mail Download i

Dr. Steven A. Porter, M.D., P.C. (Dr. Porter’s Practice) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $100,000 no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

OCR initiated an investigation into Dr. Porter’s Practice after it filed a breach report with OCR related to a dispute with a business associate, Elevation43. Elevation43 was a business associate of Dr. Porter’s Practice’s electronic health record (EHR) vendor. Dr. Porter’s Practice alleged that Elevation43 was impermissibly using patients’ electronic protected health information (ePHI) by blocking Dr. Porter’s Practice from accessing said ePHI. OCR’s investigation revealed that Dr. Porter’s Practice failed to:

  • Implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, Dr. Porter’s Practice failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, Dr. Porter’s Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

  • Dr. Porter’s Practice permitted Dr. Porter’s electronic health record (EHR) company to create, receive, maintain, or transmit ePHI on Dr. Porter’s Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.

As a reminder, the HIPAA Privacy Rule allows covered entities to disclose ePHI to business associates if the covered entity obtains satisfactory assurances that the business associate will (1) use the ePHI only for the purposes for which it was engaged by the covered entity, (2) safeguard the ePHI from misuse, and (3) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. A business associate may permit a subcontractor to create, receive, maintain, or transmit ePHI on its behalf only if the business associate obtains satisfactory assurances from the subcontractor that the subcontractor will appropriately safeguard the ePHI.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins