Orthopedic Clinic Agrees to $1.5 Million Settlement with OCR and Two-Year Comprehensive Corrective Action Plan

Isabella Wood
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On September 21, 2020, the HHS Office of Civil Rights (OCR) announced a $1.5 million settlement with Athens Orthopedic Clinic, a Georgia orthopedic clinic, to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The orthopedic clinic also agreed to a comprehensive two-year corrective action plan that provides for detailed monitoring by HHS.

The settlement stems from a data hacking incident that occurred in 2016. In June 2016, a journalist notified the orthopedic clinic that a database of its patient records may have been posted online for sale. Two days later, a hacker group known as “The Dark Overlord” contacted the clinic demanding money in return for a complete copy of the stolen database. The clinic subsequently determined that the hacker had used a vendor’s credentials to access the electronic medical record system and exfiltrate the patient health data. In July 2016, the orthopedic clinic filed a breach report with OCR indicating that 208,557 individuals were affected by the breach, and that the protected health information (PHI) disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.

OCR performed an investigation and concluded there was longstanding, systematic noncompliance with the HIPAA Privacy and Security Rules, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure certain business associate agreements, and to provide HIPAA Privacy Rule training to workforce members.

The orthopedic clinic’s corrective action plan includes two years of robust monitoring by HHS. A number of the provisions resemble common elements of OIG Corporate Integrity Agreements (CIAs), such as requirements for annual reports and reportable event submissions. The requirements of the corrective action plan also include:

  • Within 60 days and then annually thereafter, the orthopedic clinic must review all relationships with vendors and third-party service providers to identify business associates. The orthopedic clinic must also provide HHS with an accounting of its business associates and provide copies of all business associate agreements.
  • The orthopedic clinic must conduct a risk analysis overseen and approved by HHS. HHS will also oversee and approve the development of an enterprise-wide risk management plan developed based on the risk analysis. This risk analysis and risk management process must be repeated annually during the term of corrective action plan.
  • The orthopedic clinic must review and revise various written policies and procedures and provide such policies and procedures to HHS for its review and approval.
  • The orthopedic clinic must provide HHS with proposed training materials for HHS’s review and approval.

OCR’s press release is available here. The resolution agreement and corrective action plan is available here.

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide