March 03, 2020 – A sole practitioner in Utah settled with DHS OCR for $100,000 for failing to implement certain HIPAA security requirements. Additionally, the provider must adopt a corrective action plan going forward. Many providers believes the OCR has “bigger fish to fry” than the small practice but this judgement proves otherwise. This latest action by OCR may signal a widening of their scrutiny which may be costly for the unprepared practice.
Statistically speaking, it is believed that most physician practices have already been breached. Director Roger Severino said in a statement “the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be unacceptable and a disturbing trend within the healthcare industry.”
Jay Swearingen from Vijilant in Maryland said “These large fines are particularly unnecessary when there are companies out there that will perform a risk analysis for small practices for a very low price.” Assuming your existing IT or EHR vendor has you “covered” is not a prudent strategy.