The Office of Civil Rights (OCR) of the Federal Department of Health and Human Services (HHS) recently reminded private practices that the requirements of the HIPAA Security Rule applies to them too. On March 3, 2020, the OCR reported that it reached a $100,000 settlement agreement with a private practice to address claims that the practice failed to perform the security risk analysis required by the Rule. This settlement is a strong cue to private practices that they must be conscious of the security of the Protected Health Information (PHI), which they create and use. Fortunately, OCR has also made available the Security Risk Assessment Tool, at no charge.

The HIPAA Security Rule creates standards for protecting PHI in electronic formats. It requires all Covered Entities, including private practices, to adopt administrative, physical and technical safeguards. These safeguards ensure the confidentiality, integrity and security of electronically stored PHI.

In the Settlement, a private practice initiated a complaint with OCR over a billing dispute, with the practice’s electronic records service provider. Upon investigation, the OCR found that the practice had failed to implement a risk analysis or to adopt security measures. The practice also failed to maintain an appropriated Business Associate Agreement, with its electronic records service provider. The OCR offered the practice “significant technical assistance” to remedy the violations. However, the practice failed to make use of that assistance.

The result was that the practice ended up entering a settlement agreement, under which it had to pay the OCR $100,000 in lieu of fines. In addition, the settlement had the practice enter into a Corrective Action Plan. The two-year Plan required correction of the violations, revision of policies, training and added reporting requirements.

This settlement should provide an alert to all private practices. The requirements of the Security rule do not apply only to large health care systems or sophisticated organizations. The Rule applies to all covered entities, regardless of size. While the settlement amount was somewhat modest, the costs of complying with the Corrective Action Plan further added to the practice’s expenses. Further, had a settlement not been reached, fines could have amounted to many times the settlement amount.

The OCR notes that risk analysis is the first step needed in complying with the Security Rule. With proper risk analysis, a practice evaluates the risks and vulnerabilities to the PHI it creates and uses. To assist covered entities of all sizes, the OCR has created a Security Risk Assessment Tool. This tool can be found at healthit.gov/security-risk-assessment. Additionally, the OCR has provided “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.  With this information, a private practice can meet its obligations, under HIPAA, to perform and maintain a proper security risk analysis.