September 21, 2020
The OCR is certainly seeing $$$ this September. On top of the record five fines announced last week, the Office for Civil Rights (OCR) has just announced the latest settlement of a whopping $1,500,000 fine and 2-year corrective action plan for an orthopedic clinic out of Georgia.
Athens Orthopedic Clinic found themselves in the HIPAA violation hot seat after a hacking incident sparked an OCR investigation beginning in 2016. The OCR found Athens Orthopedic had longstanding noncompliance with HIPAA rules, especially required technical safeguards, that led to the breach incident.
On June 26, 2016, the orthopedic clinic was notified that their database of patient records had been posted online for sale. Two days later, a hacker contacted the clinic demanding money in return for the stolen database. After investigation, Athens Orthopedic determined that the hacker was able to gain access through a vendor’s credentials on June 14, 2016, and the hacker continued to access protected health information (PHI) for a month after the initial breach. On July 29, 2016, Athens Orthopedic filed a breach report with the OCR noting all of the sensitive PHI that had been hacked: names, dates of birth, social security numbers, and other personal medical information of the 208,557 patients affected.
The breach initiated a full-scale investigation into the clinic’s HIPAA program, where the OCR discovered a laundry list of key compliance elements that the practice was missing:
- An updated and documented Security Risk Analysis
- Risk management and audit controls
- Properly documented HIPAA policies and procedures
- Secure Business Associate Agreements with multiple Business Associates
- HIPAA training for staff members
Cyber threats are an ongoing and rising threat to the healthcare industry. When practices lack the proper safeguards to secure their patients’ PHI, they put themselves at the top of hackers ‘easy target’ list (would your practice be posted if such a list existed?). Along with the fine, OCR Director Roger Severino emphasized that “Hacking is the number one source of large healthcare data breaches. Healthcare providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”
So how do you ‘hack proof’ your business? Well, you probably can’t completely prevent a hack given how quickly hackers adapt to new security measures, but your practice CAN go a long way to avoid being targeted (and getting slapped with a HIPAA fine) by ensuring your HIPAA compliance program – especially your technical safeguards – is up to scratch.