$1.5 Million OCR Fine Issued for Widespread Noncompliance with HIPAA

Athens Orthopedic Clinic PA has agreed to settle with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for its widespread noncompliance with HIPAA. More details about the HIPAA settlement are discussed below.

Why Did OCR Investigate Athens Orthopedic?

On June 26, 2016, Athens Orthopedic was contacted by a journalist who had found a database of their protected health information (PHI) listed for sale online. The organization was then contacted on June 28, 2016 by a hacker who was demanding monetary compensation in exchange for a copy of the stolen database. 

After conducting an investigation into the incident, Athens Orthopedic determined that a hacker gained access to their electronic medical record system on June 14, 2016, and continually accessed the data until July 16, 2016. 

Athens Orthopedic filed a breach report with HHS’ OCR on July 29, 2016 in which it revealed that 208,557 patients were affected by the breach. PHI that was accessed included patients’ names, dates of birth, Social Security numbers, medical procedures, test results, and health insurance information.

Why Compliancy Group

HIPAA Compliance is an important part of your business, so why not use someone you can trust? Compliancy Group is the only compliance firm to be listed on both Inc. 2020 Best Places to Work and 2020 Inc. 5000 list of the fastest-growing private companies in America. By working with us, you are welcomed into the safety of our family.

Put your trust in us

Noncompliance with HIPAA Privacy and Security Rules

The HHS’ OCR investigation revealed longstanding noncompliance with HIPAA standards

Athens Orthopedic’s noncompliance with HIPAA included: 

Failures to 

conduct a risk analysis

implement risk management and audit controls; 

maintain HIPAA policies and procedures;

secure business associate agreements with multiple business associates; and 

provide HIPAA Privacy Rule training to workforce members.

As a result, Athens Orthopedic is subject to a $1.5 million fine, an extensive corrective action plan (CAP), and two years of monitoring by OCR.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” stated OCR Director Roger Severino.

To read more about the HIPAA settlement, please click here.