On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously.  OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule.  This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities.  OCR specifically noted that this practice sees approximately 3,000 patients per year.

This settlement occurred following OCR’s investigation of the practice after it filed a breach report related to a dispute with a business associate.  During the investigation, OCR uncovered that the practice never conducted a risk analysis at the time of the breach report and, despite receiving significant technical assistance during the investigation, the practice failed to complete a thorough risk analysis after the breach.  Risk analyses are critical for covered entities to identify risks and vulnerabilities and to address them at an appropriate level.

OCR’s Director, Roger Severino summed it up by stating: “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

Conducting a risk analysis is a foundational step that covered entities must take to understand their vulnerabilities and, even more importantly, to understand where they should implement safeguards to best protect the electronic health information they maintain.  While there is no one-size-fits-all method for conducting a risk analysis, as HIPAA is scalable based on the size and complexity of the covered entity, this enforcement action shows that small providers need to take this responsibility seriously.  It is important to note that the risk analysis process should be an ongoing process.  HIPAA does not prescribe how often a covered entity needs to conduct a risk analysis; however, given a shifting technological environment, best practice would be to conduct these analyses every two to three years or sooner when implementing new technology (e.g. moving to a cloud-based server or moving to a new electronic health record vendor).

If you have any questions about conducting a risk analysis or any other HIPAA questions, please contact Stephanie S. Sobkowiak at 203.772.7782 or ssobkowiak@murthalaw.com or Daniel J. Kagan, at 203.772.7726 or dkagan@murthalaw.com.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.