First HIPAA Penalty of 2020 Announced by HHS’ Office for Civil Rights


The Department of Health and Human Services’ Office for Civil Rights (OCR) has made public the first HIPAA penalty of 2020. The medical practice of Steven A. Porter, M.D., has committed to paying a fine of $100,000 to account for a number of possible HIPAA Security Rule breaches and has also agreed to implementing a a corrective action plan to address all areas of noncompliance discovered during the compliance audit following the discovery of the breach.

Dr. Porter’s medical practice is based in Ogden, UT and provides gastroenterological treatment to in excess of 3,000 patients. An investigation was begun by OCR after a data breach was made known to them on November 13, 2013. The breach was in relation to a business associate of Dr. Porter’s electronic medical record (EHR) company which was allegedly impermissibly ramsoming patients’ electronic medical records by blocking the practice’s access to ePHI until Dr. Porter transferred $50,000 to the company.

The breach investigation identified significant breaches of the HIPAA Security Rule at the practice. At the time of the audit, Dr. Porter had never completed a proper a risk analysis to identify dangers to confidentiality, integrity, and availability of ePHI, breaching 45 C.F.R. § 164.308(a)(1)(i), the practice had not brought potential risks down to a reasonable and acceptable level, and had not adopted policies and procedures to prevent, detect, contain, and correct security attacks.

From some time in 2013, the practice had permitted Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without first receiving satisfactory guarantees that the company would use proper safeguards to ensure the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(b).

Throughout the length of the investigation, OCR provided major technical assistance, yet a risk analysis was not carried out after the breach and appropriate security measures were not used to cut risks and bring the down to an acceptable level.

Referring to the breach OCR Director, Roger Severino said: “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry”.