In a noteworthy development, a sole practitioner gastroenterology practice recently agreed to pay $100,000 to the Office for Civil Rights of the Department of Health and Human Services (OCR) and adopt a two-year corrective action plan to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to an OCR Press Release published on March 3, OCR alleged that the practice failed to comply with "basic" HIPAA security rule requirements by not conducting a thorough security risk analysis and implementing a risk management plan — a failure that OCR characterized as part of an "unacceptable and disturbing trend within the health care industry." OCR also alleged that the practice did not have a written business associate agreement with the practice's EHR vendor since 2013. As is often the case, the settlement stemmed from a compliance review OCR conducted following the practice's filing of a breach report in 2013. In what was likely an aggravating factor, OCR stated that certain of the alleged violations persisted despite OCR's provision of "significant technical assistance" to the practice. (The OCR Press Release regarding this enforcement action is available here.)
Covered entities (and business associates) should continue to:
- ensure that they have conducted a recent, enterprise-wide security risk analysis and update the analysis at least annually and as needed for changes in operations or threats;
- develop and implement a security risk management plan that reduces identified risks to reasonable and appropriate levels; and
- develop a vendor management program and ensure that business associate agreements are in place with all business associates.
It is also critical to have appropriate written HIPAA policies in place and to review and monitor those policies as well as conduct regular training.
While these takeaways are not new, the eye-catching amount of the settlement for a single-physician medical practice reinforces OCR's longstanding view that security risk analysis, risk management and business associate agreements are foundational to HIPAA compliance. As OCR seeks to meaningfully move the dial on addressing widespread cybersecurity risk within the health care industry, covered entities and business associates of all sizes are on notice that OCR will take seriously these foundational failures. Fortunately, OCR also has provided a wealth of compliance guidance on risk analysis, risk management, business associate contracting, and vendor diligence and management.