On September 21, 2020 the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced that Athens Orthopedic Clinic PA (AOC) agreed to pay $1,500,000, enter into a Resolution Agreement, and adopt a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC is located in Georgia and provides orthopedic services to approximately 138,000 patients annually. The Resolution Agreement is not an admission of liability by AOC. On June 26, 2016, a journalist notified AOC that their patient records had been posted for sale online. Two days later, a hacker contacted AOC demanding money in exchange for a complete copy of the database that had been stolen. AOC subsequently determined that the hacker had used a vendor’s credentials on June 14, 2016 to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access the patients’ protected health information (PHI) for over a month.

AOC filed a breach report with OCR on July 29, 2016 informing OCR that more than 200,000 individuals were affected by the breach. The PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information. OCR investigated and discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules. AOC’s noncompliance included failure to i) conduct a risk analysis, ii) execute business associate agreements (BAA) with multiple business associates, and iii) train workforce members on the HIPAA Privacy Rule.

In addition to the substantial monetary settlement, AOC has agreed to a CAP which includes two years of monitoring and performance of each of the following:

• Review all relationships with vendors and third-party service providers to identify business associates, as well as provide HHS with an accounting of business associates and copies of BAAs.
• Conduct an enterprise-wide analysis of security risks and vulnerabilities that includes all electronic equipment, data systems, programs and applications, to be submitted to HHS for review.
• With HHS’ approval of AOC’s risk analysis, develop a risk management plan to address and mitigate any security risks identified.
• Review and revise AOC’s written policies and procedures to comply with HIPAA’s Privacy, Security, and Breach Notification Rules.
• Revise AOC’s business associate and BAA policies and procedures.
• Adopt, distribute and routinely update the revised policies and procedures. Such policies and procedures must include at a minimum specific measures set forth in the CAP.
• Revise training policies and procedures, which must be provided to HHS for review.
• Provide workforce training utilizing HHS-approved training materials.

This OCR resolution is an important and expensive reminder to medical practices and all HIPAA covered entities that, in the words of OCR Director Roger Severino, “[h]acking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.” All covered entities should review their current HIPAA Privacy and Security Rule policies and procedures to ensure they are fully compliant and up-to-date. Covered entities should also ensure they regularly conduct HIPAA training for its workforce members.