Skip to content

Privacy Complaint Backfires, Leading to $100,000 HIPAA Settlement



HHS Resolution Agreement: Steven A. Porter, M.D., P.C. (Feb. 26, 2020); HHS News Release (March 3, 2020)

Available at

HHS’s Office for Civil Rights (OCR) has announced a $100,000 settlement with a medical practice (a HIPAA covered entity) to resolve alleged violations of HIPAA’s security rule. OCR’s investigation began after the practice used OCR’s breach notification process to report that one of its service providers (a HIPAA business associate) was blocking the practice’s access to patients’ protected health information (PHI) until the practice paid the business associate $50,000. OCR’s investigation revealed significant noncompliance by the practice, including failures to—(1) conduct an adequate risk analysis, (2) implement sufficient security measures to reduce risks and vulnerabilities to a reasonable and appropriate level, and (3) enter into required business associate contracts.

In addition to the settlement payment, the practice agreed to a two-year corrective action plan. Among other requirements, the practice must conduct an accurate and thorough risk analysis that includes a complete inventory of all electronic equipment, data systems, and applications that contain or store PHI. The practice must submit its risk analysis to OCR for review and approval. The approved risk analysis, which must form the basis for a risk management plan to be submitted to OCR for review and approval, will have to be evaluated and updated at least annually. The practice must also revise, subject to OCR’s review and approval, its policies and procedures to designate one or more individuals to oversee business associate relationships; identify business associates; create a standard business associate contract; and enter into and maintain business associate contracts in compliance with HIPAA. The practice’s use and disclosure policies and procedures also must be revised and, following OCR’s approval, used to train workforce members to recognize permissible and impermissible uses and disclosures of PHI; report potentially impermissible uses and disclosures to the practice’s privacy or security officer; and understand business associate requirements. The policies and procedures must also provide for oversight and supervision of workforce members.

EBIA Comment: The settlement is a reminder that people in glass houses should not throw stones. Although the practice’s position on blocking access to PHI to resolve a payment dispute was consistent with OCR guidance (see our Checkpoint article), blowing the whistle on the business associate before reviewing its own compliance status backfired badly. Having attracted OCR’s attention, the practice ended up paying, directly and indirectly, more than twice the amount originally demanded by the business associate. This and other recent resolution agreements illustrate that OCR continues to be serious about HIPAA enforcement and is not limiting its focus to large entities. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”).

Contributing Editors: EBIA Staff.

More answers