HIPAA Compliance Deficiencies and Failure to Comply with OCR’s Technical Assistance Leads to $100,000 Settlement

On March 3, 2020, the Health and Human Services Office for Civil Rights (“OCR”) announced a $100,000 settlement with a physician practice (“Practice”) that it found to be significantly out of compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). While OCR was investigating the Practice’s complaint against a subcontractor business associate of the Practice’s electronic health records, or “EHR”, vendor (“EHR Vendor”) for information-blocking, OCR identified a number of deficiencies in the Practice’s HIPAA compliance program.

The Settlement

The Practice filed a breach report in 2013 with OCR, claiming that a business associate (“Company”) of the Practice’s EHR Vendor had prevented the Practice from accessing patient electronic protected health information (“ePHI”) unless the Practice paid $50,000 to the Company. This tactic is referred to as “information-blocking.” In response to the information-blocking complaint, OCR also conducted a compliance investigation into the Practice. As a result of that investigation, OCR discovered that the Practice itself had significant noncompliance with HIPAA, including:

The Practice did not have policies and procedures implemented to protect the security of ePHI;
The Practice had not performed a security risk analysis to identify and mitigate potential risks and vulnerabilities to the confidentiality, integrity and availability of the Practice’s ePHI; and
The Practice had not obtained HIPAA required “satisfactory assurances” from the EHR Vendor.

Further, OCR noted in its announcement that technical assistance was provided to the Practice but that the Practice did not follow such technical assistance, which included instruction to conduct a risk analysis.

The Importance of Technical Assistance from OCR

Of special note, OCR once again emphasized in its announcement that “significant technical assistance” was offered to the Practice but that the Practice failed to implement such technical assistance and the reasonable and appropriate security measures described therein. During or following a HIPAA investigation, OCR often provides technical assistance to help covered entities address deficiencies in HIPAA compliance, sometimes in lieu of a fine. We discussed the nuances of OCR’s provision of technical assistance in greater detail here. OCR has recently been noting the failure to comply with technical assistance as a factor in its settlements.

The Importance of Satisfactory Assurances

The failure to obtain satisfactory assurances from the EHR Vendor is important here. When a covered entity contracts with another party to perform services for or on behalf of the covered entity that requires the other party to create, receive, maintain or transmit PHI for or on behalf of the covered entity, that party is generally considered a business associate of the covered entity. Satisfactory assurances must be obtained by the covered entity from the party acting as its business associate. These satisfactory assurances are included in a “business associate agreement,” where the business associate agrees to safeguard PHI, only use PHI as permitted or required by its contract with the covered entity and assist in the covered entity’s compliance with its duties under the HIPAA Privacy Rule.

When a business associate hires another party to help perform some or all of the services the covered entity has hired the business associate to perform, referred to as a “subcontractor,” the business associate is obligated to obtain the same satisfactory assurances from the subcontractor, which often come in the form of a “subcontractor business associate agreement.”

The EHR Vendor was acting as a business associate of the Practice, requiring that a satisfactory business associate agreement be place between the Practice and the EHR Vendor. When the EHR Vendor contracted with the Company to assist in the performance of the services for the Practice, a compliant subcontractor business associate agreement was required between the EHR Vendor and the Company. The Practice’s failure to obtain an adequate business associate agreement with the EHR Vendor may have resulted in the lack of an adequate subcontractor business associate agreement between EHR Vendor and Company. This is because the EHR Vendor would have been required to pass the obligations under its business associate agreement with the Practice down to the Company. When an information-blocking dispute arises, a covered entity would typically pursue resolution of such a dispute based on the terms of the business associate agreement and the subcontractor business associate agreement. Such agreements often provide a contractual mechanism or at least the HIPAA-required satisfactory assurances that the covered entity can rely on to pursue a claim to combat the information-blocking attempt, even against a business associate’s subcontractor, without involving OCR.

The CAP

The Practice entered into a corrective action plan (“CAP”) as part of the settlement. Among the requirements of the CAP are requirements for the Practice to:

Conduct a risk analysis;
Revise policies and procedures related to security; and
Implement training.

Practical Takeaways

In light of this settlement agreement, covered entities should note the following:

Establish a process to enter into adequate business associate agreements with vendors who act as business associates.
Confirm that vendors who are business associates have a process in place to obtain adequate satisfactory assurances from any subcontractors.
Regularly perform a risk analysis and mitigate such risks.
Ensure policies and procedures, especially those that relate to security, are updated as the organization and technology evolve.
In the event of an act, such as information-blocking, that constitutes a material breach of a vendor’s business associate obligations, covered entities should consider taking appropriate action against the business associate, including contract termination.

If you have any questions or would like additional information about this topic, please contact: