Health Care Provider Pays $100k Settlement to OCR
The practice of Steven A. Porter, M.D., has agreed to pay $100000 settlement to the OCR (Office for Civil Rights) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.
OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. The breach was first reported to OCR in 2013. The complaint was described as a business associate holding the doctor’s patients’ EHR hostage until the doctor paid them $50,000. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
In addition to the $100000 settlement to the OCR, Dr. Porter will undertake a corrective action plan that includes two years of monitoring.