Opening the 2020 enforcement list for OCR is a doctor’s office who reported a breach due to a business associate issue and then did nothing. The settlement wasn’t due to the BA but because the office had no SRA in place. Let’s break down the settlement with Steven A. Porter, M.D., P.C. a sole gastroenterologist practice in Ogden, UT. Time to learn from their mistakes.
In this episode:
No SRA First 2020 OCR Enforcement – Ep 246
2020 Spring Session Dates
August 18, 19, 20
2020 Fall Session Dates
Sept 15, 16, 17
San Pedro, CA
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
No SRA In First 2020 OCR Enforcement
Time to get the ball rolling with OCR enforcement announcements in 2020. We believe we are going to see several of these statements come out this year for many reasons. First, we know there are several old ones out there that have to be nearing the point of resolution. Add to that the letter we discussed from Congress about enforcement related to the images exposed and OCR may think it has something to prove.
As usual, this settlement has much to tell us when we dig into it. Remember to treat this as your guide to understanding what OCR does expect you to do. Well, maybe you need to see it as what they do NOT want to see you doing when it comes to privacy and security protections.
Small practices should pay attention to this one.
This settlement is with the practice of Steven A. Porter, M.D. of Ogden, UT. Porter is a
gastroenterologist and a sole practitioner. That is right, a single doctor practice, not a big group. Now we have proof that they do not ignore you because you are small. The practice says it sees about 3,000 patients a year on it’s website. It also says they have seen over 30K patients in total.
The customary quote from Dir Severino in the press release says it clearly. Don’t think you are too big or too small to protect your patients.
No SRA in settlement but it start with a BA issue
On November 21, 2013, Dr Porter’s office reported a breach to OCR which launched the original investigation. As we have said many times, you are guaranteed to get a visit from OCR when you report a 500 or more breach. The breach had to do with a BA blocking their access to the PHI the BA had control over. According to their breach notice to OCR, Elevation43, Dr. Porter’s EHR company and business associate, was impermissibly using the practice’s patients’ ePHI by blocking the practice’s access until Porter paid Elevation43 $50,000.
This particular breach notice is probably what prompted some general guidance from OCR about business associates holding data hostage. That BA guidance was released back in 2016 directly addressing the issue. Based on the dates and how long things take to get through the system, it certainly could be the reason we saw it.
Short answer is NO. The notice points out that CEs and BAs are only allowed to use PHI for TPO. Withholding access to pPHI is also violating the Availability requirement of the Security Rule. A big no-no in several ways.
OCR cleared the access issue up between them pretty quickly with that statement I am sure. But, here’s the thing. The practice may have been happy to have that resolved but OCR is still hanging out in the same sandbox with you so they say – hey where’s your SRA.
So there is no sra?
I just heard Serena Mosely-Day’s review of the case at the HIPAA Summit (more on that in another episode soon). The press release “despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach”. I don’t think I have ever seen them say that they had provided “significant technical assistance”. According to Mosely-Day’s review of the case it sounded to me like they told them they needed to do one and allowed a bunch of time to get it done. What they submitted in response was not an acceptable SRA. OCR explained what they expected to see and still didn’t get what they wanted. I believe it may have been after the third time they didn’t get one that they said, we are coming in for a deeper look at your program.
OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Here are the specific violations they indicated:
- The Practice failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, the Practice has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, the Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. See 45 C.F.R. § 164.308(a)(1)(i).
- The Practice permitted Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on the Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI. See 45 C.F.R. § 164.308(b).
In that second bit there, it doesn’t say there was no BAA in place it uses that “obtaining satisfactory assurances” phrase. Does that mean there was an attempt at a BAA but nothing was there? Either way the vendor and the practice were not following the rules very closely.
The $100,000 settlement says a few things to me, also. If they never met the SRA, RM, or BAA requirements for a period of years, that could be a lot of max fines each year. They didn’t force that but offered a settlement. However, that is a pretty high number for a single doc practice especially when you add that to the investigation that has gone on for 7 years periodically rearing its head. Plus, the 2 year CAP is a pretty big deal. Of course, we are only able to read a lot of things between the lines. We do not know for sure the facts of this specific case.
No SRA imaginary scenario (totally fictitious story using the facts we do know)
That being said, we can create a scenario that is totally based on our experiences and cases we are aware of in our businesses along with the facts we do have here. We may or may not be right but I don’t think this is a far fetched story using this information.
Small practice gets into one of those business contests of wills between the owner and the owner of a BA they use. Both sides try to maneuver outside their legal boundaries. The BA pushes too far when they cut off access to PHI. That creates a situation where the practitioner must explain to patients why he can’t treat them or why he can’t get to their records.
Up to this point neither the practitioner nor the BA have cared much about their HIPAA obligations. We know that drill all too well and have discussed it here many times. Obviously, the BA didn’t care too much about patient care or the CIA if they were willing to lock out the practice. Without access to the EHR things have gotten serious. An attorney points out that this should be reported as an impermissible use of PHI by the BA. For the first time ever this fictitious doctor has found a use for HIPAA that should get the BA off his back.
Since there isn’t a serious understanding of HIPAA the doctor has no idea that this breach report will also trigger an investigation into their program. I wonder if things would be different if that point could be included in the business decision our fictitious businesses are making in this scenario.
Once OCR explains to the BA that they are not allowed to act this way the data starts to flow. We can assume that OCR may be asking some questions about the HIPAA program for both sides of this dispute. OCR solved the problem but now the investigation takes place, right. Both parties are asked to show their SRA and BAAs. Show me yours and I will show you mine. 🙂
This just got serious up In here! We don’t need no stinking SRA. Didn’t somebody set up that HIPAA manual for us when we started the practice? Send that over to them and see if they go away. From there you immediately learn that ignoring the OCR is a very bad idea. If you can not prove you had been doing these things for the amount of time your business exists then they will find out. Don’t lie either, they really hate it when you lie to them.
The frustrating / sad part of the story is if the practitioner had even been making an effort to comply with the rules at that point we would not be hearing anything else about it. Even more frustrating / sad, if they had made an immediate effort after this happened to get the house in order we wouldn’t be here either. On the surface, anyway, this appears to be one of those cases we hate to hear about but can’t do anything but walk away when we do. There are way too many cases where the answer to HIPAA obligations is “I refuse to deal with it” or “I don’t have money to deal with it” or “I don’t have time to deal with it”. This appears, at least, to be one of those cases. Now, they are on a 2-year CAP being monitored by OCR to make sure they meet their obligations.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!