Orthopedic Clinic Settles Alleged HIPAA Noncompliance

Thursday, September 24, 2020

On September 21, 2020, the U.S. Division of Well being and Human Providers (“HHS”) Workplace for Civil Rights (“OCR”) introduced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Well being Insurance coverage Portability and Accountability Act (“HIPAA”) Privateness and Safety Guidelines.

The penalty adopted an OCR investigation right into a July 2016 information breach reported by Athens Orthopedic wherein hackers gained entry to its methods utilizing third-party vendor credentials and exfiltrated protected well being data (“PHI”). The information of 208,557 sufferers had been stolen and posted on-line, together with names, dates of delivery, Social Safety numbers, medical process particulars, take a look at outcomes, billing data and medical health insurance data.

OCR’s investigation discovered that Athens Orthopedic was in longstanding noncompliance with the HIPAA Privateness and Safety Guidelines, together with failures to conduct a threat evaluation, implement threat administration and audit controls, preserve HIPAA insurance policies and procedures, safe enterprise affiliate agreements and supply HIPAA Privateness Rule coaching to workforce members. Below the phrases of OCR’s decision settlement, Athens Orthopedic should undertake a corrective motion plan that features two years of monitoring.

“Hacking is the primary supply of enormous well being care information breaches,” mentioned OCR Director Roger Severino. “Well being care suppliers that fail to comply with the HIPAA Safety Rule make their sufferers’ well being information a tempting goal for hackers.”