Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

Orthopedic Clinic Settles with HHS OCR for $1.5 Million over Claims of Systemic HIPAA Noncompliance

By Glenn A. Brown on September 25, 2020
EmailTweetLikeLinkedIn

The US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually.

The Clinic had been notified by a journalist in June 2016 that a database of the electronic protected health information (“ePHI”) of Clinic patients had been offered for sale on the dark web by a group known for infiltrating systems, stealing personal information, and issuing demands for payment to prevent the sale of data. Two days later, the group contacted the Clinic and demanded money in return for a complete copy of the database of the ePHI it had exfiltrated. The Clinic subsequently determined that the group had used a vendor’s credentials to access their electronic medical record system to access and exfiltrate ePHI for over a month. The Clinic reportedly refused to pay the ransom.

The Clinic reported the breach to OCR in July 2016, informing OCR that 208,557 individuals were affected and that the ePHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results and health insurance information.

According to the OCR press release, OCR’s investigation discovered longstanding, systemic noncompliance by the Clinic with the HIPAA Privacy and Security Rules, including failures to conduct risk analyses, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with three of its business associates, and provide HIPAA Privacy Rule training to employees. As a result of these compliance failures, the Clinic failed to prevent unauthorized access to ePHI, in violation the HIPAA Security Rules.

In addition to the financial penalty, the Clinic agreed to a corrective action plan with a term of two years and covering the aspects of noncompliance discovered during OCR’s investigation. The corrective action plan includes a requirement to obtain OCR’s prior approval of policies, analyses and training and to submit annual reports to OCR. In settling the matter, the Clinic made no admission of liability.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

Photo of Glenn A. Brown Glenn A. Brown

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations

…

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US federal and state privacy laws, including the California Consumer Privacy Act (CCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act and the Driver’s Privacy Protection Act. Glenn is familiar with the legislative and regulatory landscape in the US and the EU and assists clients with developing strategies to address new developments.

Having served in-house in the capacity of Associate General Counsel and Chief Compliance Officer for more than 10 years, Glenn has a first-hand understanding of the day-to-day issues faced by clients when creating corporate privacy programs, implementing corporate compliance systems and responding to government investigations and examinations.

View full website bio.

Read more about Glenn A. BrownEmail Glenn's Linkedin Profile
Show more Show less
  • Posted in:
    Health Care
  • Blog:
    Triage Health Law
  • Organization:
    Squire Patton Boggs
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The Capital Commitment
  • Delaware Intellectual Property Litigation
  • Restrictive Covenant Report
  • PFAS and Emerging Contaminants
  • Privacy Law Blog
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog