GA Orthopedic Practice In $1.5M HIPAA Settlement

Rivkin Radler LLP

Rivkin Radler LLP

On September 21, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $1.5 million agreement with Athens Orthopedic Clinic PA to settle “longstanding, systemic noncompliance” with the HIPAA Privacy and Security Rules. OCR’s investigation was triggered by a 2016 data breach that affected more than 200,000 of Athens Orthopedic’s patients. The practice employs 22 physicians along with more than 50 physical therapists and other ancillary personnel at 10 office locations in Georgia.

In 2016, a hacking group known as “thedarkoverlord” stole the data of more than 655,000 patients, including patients of Athens Orthopedic. After demanding ransom payments for the return of the data, which Athens Orthopedic refused to pay, the hackers posted patient records online. Some of Athens’ patients filed a lawsuit against the practice, which remains in process, claiming that Athens was negligent, among other things.

After Athens Orthopedic reported the data breach to OCR, OCR’s investigation revealed numerous HIPAA violations, “including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”

In addition to the civil monetary penalty, Athens Orthopedic’s Resolution Agreement with OCR includes an unusually extensive corrective action plan (CAP) to address all of the violations. Among the CAP requirements, Athens Orthopedic must review and revise its HIPAA policies and procedures, particularly with regard to its technical access controls for stored electronic protected health information, and conduct an enterprise-wide security risk analysis of system vulnerabilities of all electronic equipment, data systems, programs, and applications controlled, administered, owned, or shared by Athens Orthopedic and its affiliates.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.