📋 Free Download: 2026 HIPAA Compliance Checklist — updated for the latest OCR enforcement priorities. Get it free →

Back to Blog
HIPAA Settlement

Health Care Provider Pays $100,000 Settlement to OCR

A smaller settlement with significant lessons about right of access enforcement and documentation requirements.

April 2026 2 min read AXIS CloudSync Compliance Team
Share
Prefer to listen? Hit play — audio available.
Listen

[00:00.0 - 00:02.4] The practice of Stephen A. Porter, MD, [00:02.4 - 00:06.2] has agreed to pay $100,000 to the Office for Civil Rights, [00:06.2 - 00:11.2] OCR, at the US Department of Health and Human Services, [00:11.2 - 00:13.6] and to adopt a corrective action plan [00:13.6 - 00:16.2] to settle a potential violation of the Health Insurance [00:16.2 - 00:20.6] Portability and Accountability Act, HIPAA security rule. [00:20.6 - 00:22.6] Dr.

Porter's medical practice provides [00:22.6 - 00:26.4] gastroenterological services to over 3,000 patients [00:26.4 - 00:28.4] per year in Ogden, Utah. [00:28.4 - 00:31.9] OCR began investigating Dr. Porter's medical practice [00:31.9 - 00:35.0] after it filed a breach report with OCR related to a dispute [00:35.0 - 00:36.5] with a business associate.

[00:36.5 - 00:39.8] OCR's investigation determined that Dr. Porter had never [00:39.8 - 00:43.0] conducted a risk analysis at the time of the breach report, [00:43.0 - 00:45.2] and despite significant technical assistance [00:45.2 - 00:47.1] throughout the investigation, had [00:47.1 - 00:49.6] failed to complete an accurate and thorough risk [00:49.6 - 00:52.0] analysis after the breach, and failed [00:52.0 - 00:54.8] to implement security measures sufficient to reduce [00:54.8 - 00:58.2] risks and vulnerabilities to a reasonable and appropriate [00:58.2 - 00:59.4] level. [00:59.4 - 01:02.0] All health care providers, large and small, [01:02.0 - 01:04.7] need to take their HIPAA obligations seriously, [01:04.7 - 01:07.5] said OCR Director Roger Severino.

[01:07.5 - 01:10.6] The failure to implement basic HIPAA requirements, [01:10.6 - 01:13.9] such as an accurate and thorough risk analysis and risk [01:13.9 - 01:17.7] management plan, continues to be an unacceptable and disturbing [01:17.7 - 01:20.6] trend within the health care industry. [01:20.6 - 01:22.8] In addition to the monetary settlement, [01:22.8 - 01:25.6] Dr. Porter will undertake a corrective action plan [01:25.6 - 01:28.1] that includes two years of monitoring.

[01:28.1 - 01:30.8] The resolution agreement and corrective action plan [01:30.8 - 01:33.1] may be found at HDTPS. [01:33.1 - 01:36.8] So www.HHS.gov. [01:36.8 - 01:41.1] HIPAA for Professionals slash Compliance Enforcement [01:41.1 - 01:43.8] Agreements, Porter Index.

[01:43.8 - 01:47.4] HTML source, HHS.gov.

Ready to protect your organization?

AXIS CloudSync gives healthcare, legal, and financial teams enterprise-grade encryption, audit logs, and a BAA — ready from day one.

Schedule a Demo

Continue Reading

Related Articles

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History
HIPAA Settlement

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

April 8, 20263 min read
42 CFR Part 2 and Cloud Storage: What Behavioral Health Providers Must Know in 2026
Behavioral Health

42 CFR Part 2 and Cloud Storage: What Behavioral Health Providers Must Know in 2026

May 19, 20268 min read
Beyond HIPAA: 6 Industries That Need Compliant Cloud Storage — But Aren't Being Served
Compliance

Beyond HIPAA: 6 Industries That Need Compliant Cloud Storage — But Aren't Being Served

May 12, 202612 min read
View all articles
Schedule a Demo