Back in December, the Office of Civil Rights (OCR) settled with West Georgia Ambulance, Inc. when the latter failed to demonstrate that they had completed a risk analysis, implement training or develop a set of policies and procedures. West Georgia Ambulance only paid $65K to OCR and agreed to a two year corrective action plan (CAP). Now, a practice run by Steven Porter, MD, has settled a $100K, two year CAP. This Covered Entity also had never completed a risk assessment and again failed to do so during the OCR investigation.
While we get used to seeing multi-million dollar settlements coming from OCR, none of us outside of OCR really understands what exact factors generate a specific settlement. But I think that we can all agree that a risk assessment is significantly less than a CAP. As we detailed before, the settlement is only a fraction of the costs now borne to the practice. In addition to performing a risk assessment, we assume lawyer fees are paid and a class action lawsuit is probably being generated from those involved in the breach.
Roger Severino is quoted "The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry" - and this continues to marry our experience. We do love helping companies with their inaugural risk assessment work, even in 2020, but continue to wonder how healthcare remains such a non-compliant industry as it applies to information security requirements. Let us know your thoughts!
Read the OCR announcement and settlement below by clicking on the graphic.
Stay (HIPAA) Safe,