As of Oct 2020, there are 13 Healthcare HIPAA Violations resulting in millions of dollars in fines.These HIPAA breaches were all preventable.Continue reading
Health care provider pays $100,000 settlement to OCR for failing to implement HIPAA Security Rule requirements
The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.
OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.
HIPAA Breach – Indiana Medical Records Service Pays $100,000 to Settle
Medical Informatics Engineering, Inc has paid $100,000 to HHS and has agreed take corrective action against the HIPAA breach.
May 23, 2019– Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.
On July 23, 2015, MIE filed a HIPAA breach report with OCR following discovery that hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of approximately 3.5 million people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
In addition to the $100,000 settlement, MIE will undertake a corrective action plan to comply with the HIPAA Rules that includes a complete, enterprise-wide risk analysis.
HIPAA Compliance Review Program Launch
CMS on behalf of HHS is launching a HIPAA Compliance Review Program to ensure compliance with the administrative safegaurds by covered entities.
The Centers for Medicare & Medicaid Services (CMS) Division of National Standards, on behalf of the Department of Health and Human Services (HHS), is launching the HIPAA Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.
In April 2019, HHS will randomly select 9 HIPAA-covered entities—a mix of health plans and clearinghouses—for HIPAA Compliance Reviews. Any health plan or clearinghouse—not just those who work with Medicare or Medicaid—may be selected. In 2018, HHS piloted the program with health plan and clearinghouse volunteers to streamline the process. In 2019, providers will be able to participate in a separate pilot program on a voluntary basis.
Moving forward, the Compliance Review Program will conduct periodic reviews with randomly selected entities to assess compliance.
Read the full Information Bulletin on the Go-to-Info page for more information, and watch for more Email Update messages with details about the program.
Interested in becoming HIPAA Compliant? We can help maintain your business posture. Check out our HIPAA Compliance service offerings Contact us at 866-276-8309 or firstname.lastname@example.org with any questions.