June 5, 2020

June 04, 2020

Subscribe to Latest Legal News and Analysis

June 03, 2020

Subscribe to Latest Legal News and Analysis

June 02, 2020

Subscribe to Latest Legal News and Analysis

$100,000 HIPAA Settlement With Solo Physician Practice

Dr. Steven A. Porter, M.D., P.C. (Dr. Porter’s Practice) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $100,000 no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

OCR initiated an investigation into Dr. Porter’s Practice after it filed a breach report with OCR related to a dispute with a business associate, Elevation43. Elevation43 was a business associate of Dr. Porter’s Practice’s electronic health record (EHR) vendor. Dr. Porter’s Practice alleged that Elevation43 was impermissibly using patients’ electronic protected health information (ePHI) by blocking Dr. Porter’s Practice from accessing said ePHI. OCR’s investigation revealed that Dr. Porter’s Practice failed to:

  • Implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, Dr. Porter’s Practice failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, Dr. Porter’s Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

  • Dr. Porter’s Practice permitted Dr. Porter’s electronic health record (EHR) company to create, receive, maintain, or transmit ePHI on Dr. Porter’s Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.

As a reminder, the HIPAA Privacy Rule allows covered entities to disclose ePHI to business associates if the covered entity obtains satisfactory assurances that the business associate will (1) use the ePHI only for the purposes for which it was engaged by the covered entity, (2) safeguard the ePHI from misuse, and (3) help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule. A business associate may permit a subcontractor to create, receive, maintain, or transmit ePHI on its behalf only if the business associate obtains satisfactory assurances from the subcontractor that the subcontractor will appropriately safeguard the ePHI.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...