Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules.
OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016. Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data.
Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security numbers, procedures performed, test results, clinical information, billing information, and health insurance details.
OCR accepts that it is not possible to prevent all cyberattacks, but when data breaches occur as a result of the failure to comply with the HIPAA Rules, financial penalties are appropriate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.
OCR Investigation Reveals Systematic Noncompliance
The OCR investigation into the breach revealed systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B).
Security procedures had not been implemented to reduce the potential risks to ePHI to a reasonable and appropriate level, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).
From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, in violation of 45 C.F.R. §§ 164.312(b).
It took until August 2016 for HIPAA policies and procedures to be maintained, in violation of 45 C.F.R. § 164.530(i) and (j), and prior to August 7, 2016, the clinic had not entered into business associate agreements with three of its vendors, in violation of 45 C.F.R. § 164.308(b)(3).
Prior to January 15, 2018, Athens Orthopedic Clinic had not provided HIPAA Privacy Rule training to the entire workforce, in violation of 45 C.F.R. § 164.530(b).
As a result of the compliance failures, Athens Orthopedic Clinic failed to prevent unauthorized access to the ePHI of 208,557 patients, in violation of 45 C.F.R. §164.502(a)).
Corrective Action Plan has Significant Retraining Requirements
In addition to the financial penalty, Athens Orthopedic Clinic has agreed to adopt a corrective action plan covering all aspects of noncompliance discovered during the OCR investigation. As part of the corrective action plan, Athens Orthopedic Clinic will have to develop or revise policies to comply with at least twelve HIPAA standards – nine of which will result in “material changes” to the roles and functions of workforce members.
Once the new and revised policies have been approved by OCR, Athens Orthopedic Clinic will have sixty days to submit a training program to OCR for review and approval. Once approved, the Clinic has thirty days in which to provide material change and security awareness HIPAA training to all members of the workforce. All members of the workforce must attest to having received the training, and further refresher training must be provided at least annually for the duration of the corrective action plan.
This is the sixth HIPAA settlement to be announced by OCR in September and the 9th HIPAA penalty of 2020. Earlier this month, OCR announced five settlements had been reached with HIPAA-covered entities under its HIPAA Right of Access initiative for failing to provide patients with a copy of their health information.
