OCR began investigating the solo practitioner after his medical practice (the “Practice”) filed a breach report with OCR related to the Practice’s dispute with its electronic health record (EHR) provider. The Practice’s breach report alleged that the EHR provider was blocking access to the Practice’s medical records, until the Practice paid the EHR provider $50,000.
Upon receipt of the breach report, OCR initiated a compliance review of the Practice and found that the Practice demonstrated significant noncompliance with the HIPAA rules. Specifically, the OCR investigation determined that the Practice had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
In addition to the $100,000 settlement, the Practice entered into a Resolution Agreement with OCR and Corrective Action Plan.
OCR issued a press release regarding the settlement stating: “All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”
The take away “All health care providers, large and small, need to take their HIPAA obligations seriously,” and maybe the age old wisdom, people in glass houses should not throw stones.