First HIPAA Enforcement Action of 2020: Provider Size Does Not Matter but the Content of Its Breach Report Does

Earlier today, I presented on HIPAA Enforcement Trends to the Connecticut Society for Healthcare Risk Management.  I pointed out that large and small providers alike are under scrutiny and that 30% of the 2019 enforcement actions were against small providers.   While walking to my car after the presentation, I read the Office for Civil Rights’ press release about its first enforcement action of 2020.  I was not surprised that OCR began its enforcement year with an action against another small provider.  OCR is sending a clear message that no group is immune from enforcement actions.  In fact, in the press release, OCR Director Roger Severino said “[a]ll health care providers, large and small, need to take their HIPAA obligations seriously.”

In this settlement, a small Utah gastroenterologist agreed to pay $100,000 to settle claims that the provider failed to complete an accurate and thorough risk analysis, failed to implement measures to appropriately reduce risks and vulnerabilities and failed to have an adequate business associate agreement with its electronic health record (“EHR”) vendor.  The provider filed a “breach” report with OCR in 2013 stating that its EHR vendor blocked the provider’s access to electronic patient records until the provider paid a fee of $50,000. 

Not surprisingly, OCR found the report interesting enough to initiate an investigation.  Also, not surprisingly, OCR’s investigation uncovered many HIPAA Security Rule compliance issues, as such compliance issues are common and regularly found by OCR.    

Another point that I made during my presentation this morning was the importance of a well-crafted breach report to ensure that you do not unnecessarily invite an investigation from OCR.  Instead, the report should provide detailed information about the incident and explain all the corrective measures in place to ensure that a similar incident does not occur again.  Don’t leave any unanswered questions and don’t draw any unnecessary attention. 

While we do not know what the Utah provider’s breach report said, I suspect that it would be a shining example of how not to craft a breach report.  Based on the limited facts we have, it’s not even clear that there was an actual breach but rather just a dispute between two business parties.   The Utah provider likely is wishing that he had never tried to use OCR as leverage in his private dispute.

Lessons from the first enforcement action of 2020:  (1) No covered entity is immune from HIPAA enforcement.  (2) Craft factual breach reports that leave no unanswered questions and do not unnecessarily grab OCR’s attention.