On September 21, 2020, the Office for Civil Rights (OCR) issued a press release announcing a $1.5 million settlement with Athens Orthopedic Clinic. The basis for the breach report that led to the settlement was the fact a journalist notified Athens Orthopedic a database of their patient records had been posted online for sale. Two days later a hacker contacted the clinic demanding money in exchange for a complete copy of the database that had been stolen. Using a vendor’s credentials, the hacker continued to access protected health information on the clinic’s system for an additional month. The breach impacted over 208,000 patients.
As is required anytime a breach impacts over 500 people, the OCR conducted an investigation and discovered “longstanding, systemic noncompliance with the HIPAA Privacy Rule and Security Rule” by Athens Orthopedic. The clinic failed to engage in a meaningful risk assessment, risk management and audit activities, maintain HIPAA policies and procedures, have proper Business Associate Agreements in place and to provide Privacy Rule training to members of its workforce. In addition to the monetary settlement, Athens Orthopedic has agreed to a robust corrective action plan that includes two years of monitoring which can be very expensive.
If the Athens Orthopedic case was an isolated case of a provider deciding to basically thumb its nose at the Privacy Rule and Security Rule requirements it wouldn’t be all that newsworthy, but this case is a continuation of a string of enforcement actions coming out of the OCR over the last few months that use the same phrase: Systemic Noncompliance with the HIPAA Privacy Rule and Security Rule. HIPAA has been around since 1996; the Privacy Rule was adopted in 2000 and the Security Rule became law in 2010, yet many providers still do not take this matter seriously. As a result, the fines and settlement amounts for violations are beginning to get pretty expensive!
Whether it is the “it will never happen to us” or the “we are too small for anyone to care about our information” or my favorite, “we just can’t afford to do everything that is required in the privacy and security rules” excuse, not paying attention to the requirements of both the Privacy Rule and the Security Rule can prove to be a very expensive matter. Taking the time to conduct a meaningful risk assessment, mitigate the identified risks, secure proper Business Associate Agreements, and to properly train staff is an investment rather than a cost; an investment that could save millions down the road.
As OCR Director Roger Severino states, hacking is the number one source of health care breaches and providers that fail to follow the HIPAA Privacy Rule and Security Rule make their PHI a tempting target for hackers. When it comes to HIPAA, an ounce of prevention truly is worth a pound of cure.