Orthopedic Clinic Agrees to Pay $1.5 Million to Settle Systemic HIPAA Noncompliance

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP

On September 21, 2020 the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced that Athens Orthopedic Clinic PA (AOC) agreed to pay $1,500,000, enter into a Resolution Agreement, and adopt a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC is located in Georgia and provides orthopedic services to approximately 138,000 patients annually. The Resolution Agreement is not an admission of liability by AOC. On June 26, 2016, a journalist notified AOC that their patient records had been posted for sale online. Two days later, a hacker contacted AOC demanding money in exchange for a complete copy of the database that had been stolen. AOC subsequently determined that the hacker had used a vendor’s credentials on June 14, 2016 to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access the patients’ protected health information (PHI) for over a month.

AOC filed a breach report with OCR on July 29, 2016 informing OCR that more than 200,000 individuals were affected by the breach. The PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information. OCR investigated and discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules. AOC’s noncompliance included failure to i) conduct a risk analysis, ii) execute business associate agreements (BAA) with multiple business associates, and iii) train workforce members on the HIPAA Privacy Rule.

In addition to the substantial monetary settlement, AOC has agreed to a CAP which includes two years of monitoring and performance of each of the following:

  • Review all relationships with vendors and third-party service providers to identify business associates, as well as provide HHS with an accounting of business associates and copies of BAAs.
  • Conduct an enterprise-wide analysis of security risks and vulnerabilities that includes all electronic equipment, data systems, programs and applications, to be submitted to HHS for review.
  • With HHS’ approval of AOC’s risk analysis, develop a risk management plan to address and mitigate any security risks identified.
  • Review and revise AOC’s written policies and procedures to comply with HIPAA’s Privacy, Security, and Breach Notification Rules.
  • Revise AOC’s business associate and BAA policies and procedures.
  • Adopt, distribute and routinely update the revised policies and procedures. Such policies and procedures must include at a minimum specific measures set forth in the CAP.
  • Revise training policies and procedures, which must be provided to HHS for review.
  • Provide workforce training utilizing HHS-approved training materials.

This OCR resolution is an important and expensive reminder to medical practices and all HIPAA covered entities that, in the words of OCR Director Roger Severino, “[h]acking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” All covered entities should review their current HIPAA Privacy and Security Rule policies and procedures to ensure they are fully compliant and up-to-date. Covered entities should also ensure they regularly conduct HIPAA training for its workforce members.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing Arnstein & Lehr LLP | Attorney Advertising

Written by:

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.