A gastroenterologist in Utah who felt he was being held captive by an electronic health record (EHR) vendor found his 2013 complaint to the HHS Office for Civil Rights (OCR) came back to haunt him. While the payment dispute resolved, OCR took notice of the complaint and turned its attention to Steven Porter, MD, of Ogden. Seven years later, Porter found himself agreeing to pay OCR $100,000 and implement a two-year corrective action plan (CAP) for alleged HIPAA violations.
Porter’s settlement, the first of 2020, comes three months into the new year, and on the heels of 10 OCR enforcement actions in 2019, including one announced with just two days left in the year.
Serena Mosley-Day, OCR senior advisor for HIPAA compliance and enforcement, said at the recent HIPAA Summit that Porter’s settlement is unusual in that it “started as a breach report [but] not the way we traditionally think of it.”
Also at the meeting, a top OCR official said the agency was “looking to increase” the number of enforcement actions this year beyond the 10 undertaken last year.
However, in other ways Porter’s settlement fit a mold: OCR has found especially small medical practices roundly non-compliant with the security rule. And the fact that the case stretched out over so many years has been a common occurrence, at least until recently.
Porter, a solo practitioner, did not respond to RPP’s request for comment left with his office and with his attorney.
In her remarks, Mosley-Day noted that Porter “filed a breach report because he was having an issue with a business associate that he had; the allegation was the BA was withholding his patients’ [protected health information] PHI in return for some monetary remuneration.” Porter tried to establish his own EHR firm but was unsuccessful and thus contracted with a vendor called Elevation43 LLC, according to the CAP. Utah business records show this firm was dissolved in 2017.
According to the settlement documents, OCR received a breach report on Nov. 21, 2013, which indicated that Elevation43 was blocking access “until Dr. Porter paid Elevation43 $50,000.” It is not known how many patients were affected by this, and the incident does not appear on OCR’s public breach portal that lists those involving 500 or more individuals.
Interestingly, the portal does list one breach for Porter: a report dated May 6, 2014, involving 500 individuals, resulting from “improper disposal” of a network server. No other information is included. This incident is not mentioned in OCR’s settlement materials nor was it addressed by Mosley-Day.
By the time OCR began its investigation, the claim of illegal withholding “was closed because the practice was able to get their PHI,” she said, adding that this EHR vendor itself went out of business.
“But then, in the course of that investigation, we looked at Dr. Porter’s practice [asking him], what’s going on with your risk analysis, what’s going on with your risk management plan? And when we started, and for a good time after we started the investigation, they didn’t have a risk analysis and also didn’t have a risk management plan,” she said.
According to Mosley-Day, “there were some attempts at a risk analysis, which were not successful,” and the agency “attempted at various times to give technical assistance with respect to the requirements of risk analysis and a risk management plan, and that wasn't successful either.”
At that point, said Mosley-Day, OCR “started to get down to the enforcement track,” with the resolution being the two-year CAP and $100,000 payment.
The CAP has fairly typical but wide-ranging requirements to conduct a risk analysis and develop a mitigation plan, revise as needed security management practices, adopt policies and procedures for uses and disclosures, and implement a plan for oversight of BAs.
Additionally, training workers on new policies and procedures is part of the CAP, as is forwarding OCR word of reportable events, and submitting periodic and annual implementation updates.