Athens Orthopedic Clinic PA has agreed to settle with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for its widespread noncompliance with HIPAA. More details about the HIPAA settlement are discussed below.
Why Did OCR Investigate Athens Orthopedic?
On June 26, 2016, Athens Orthopedic was contacted by a journalist who had found a database of their protected health information (PHI) listed for sale online. The organization was then contacted on June 28, 2016 by a hacker who was demanding monetary compensation in exchange for a copy of the stolen database.
After conducting an investigation into the incident, Athens Orthopedic determined that a hacker gained access to their electronic medical record system on June 14, 2016, and continually accessed the data until July 16, 2016.
Athens Orthopedic filed a breach report with HHS’ OCR on July 29, 2016 in which it revealed that 208,557 patients were affected by the breach. PHI that was accessed included patients’ names, dates of birth, Social Security numbers, medical procedures, test results, and health insurance information.
Noncompliance with HIPAA Privacy and Security Rules
The HHS’ OCR investigation revealed longstanding noncompliance with HIPAA standards.
Athens Orthopedic’s noncompliance with HIPAA included:
Failures to
◈ conduct a risk analysis;
◈ implement risk management and audit controls;
◈ maintain HIPAA policies and procedures;
◈ secure business associate agreements with multiple business associates; and
◈ provide HIPAA Privacy Rule training to workforce members.
As a result, Athens Orthopedic is subject to a $1.5 million fine, an extensive corrective action plan (CAP), and two years of monitoring by OCR.
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” stated OCR Director Roger Severino.
To read more about the HIPAA settlement, please click here.
