Accurately and Thoroughly Conduct a HIPAA Security Risk Analysis – Or Risk a $100,000 Fine (or More)

On the surface, it seems like an obvious choice – follow the law and avoid the risk of a hefty fine – but health care providers may learn the hard way that implementing HIPAA Security Rule requirements is, in fact, more complicated than it might first seem.

According to a recent U.S. Department of Health and Human Services (OCR) settlement, a gastroenterology medical practice was fined $100,000 after an investigation by the OCR revealed that the practice had not taken the necessary precautions when reporting a breach related to a dispute with a business associate.[1] The investigation also uncovered that despite the practice having significant technical assistance throughout the investigation, it failed to accurately and thoroughly conduct a risk analysis after the breach.

HIPAA Security Rule Section 164.308(a)(1), a rule that this practice violated, deals with risk analysis and management and requires all health care providers to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”[2]  This requirement is one of the many administrative and technical requirements under the Security Rule.

In addition to the $100,00 fine, Dr. Porter also pledged to adopt a corrective action plan to settle the violation of the HIPAA  Security Rule.

Though completely avoidable, Dr. Porter’s violation is unfortunately not that uncommon in today’s digital world. Federal and state laws governing the privacy and security of health information affect nearly every participant in the health care industry and understanding these laws can be complicated. However, failing to comply with them can be costly.

Covered Entities and Business Associates are required by law to implement the HIPAA Security Rule, which includes (but is not limited to) conducting a security risk assessment.  When in doubt, contact an attorney experienced in patient privacy and security matters to ensure compliance.

The experienced health care team at Dickinson Wright can help you understand and comply with health care privacy and security laws. But don’t wait until you receive a $100,000 fine. Reach out to our team today.

[1]https://www.hhs.gov/about/news/2020/03/03/health-care-provider-pays-100000-settlement-ocr-failing-implement-hipaa.html (accessed March 5, 2020).

[2]https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf (accessed March 5, 2020).

About the Author: 

Rose Willis is an Attorney in Dickinson Wright’s Health Care Practice Group. She focuses her practice on health care regulatory, transaction, and corporate law in her representation of health care providers and suppliers and other participants in the health care industry. She regularly counsels health care industry clients on matters involving the privacy and security of health information, corporate documents, and compliance program elements, as well as software agreements, physician referral rules, and certificates of need. Rose can be reached at 248-433-7584 or rwillis@dickinson-wright.com and you can visit her bio here.