The Office of Civil Rights at the Department of Health and Human Services has slapped a penalty of $1.5 million on the clinic. The penalty is a result of an OCR investigation that found longstanding and systemic non-compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Athens Orthopedic Clinic is a covered entity, and thus is required to comply with the HIPAA Rules. It employees 398 people and serves 138,000 patients annually across Northeast Georgia.
The Northeast Georgian clinic suffered a major hack on June 14, 2016. A hacker group known as “The dark overlord” hacked their systems using the login of a third-party vendor.
The intrusion lasted for about a month. During that time, the hackers stole a broad set of protected health information.
Following HIPAA requirements, Athens Orthopedic clinic informed the HHS of the data breach. It also sent breach notification letters to patients informing them of the incident. As per reports, the expenditure of the process following the breach was large enough for the clinic to come out and say that it cannot afford to pay for credit monitoring services for the affected patients. Patients soon filed a lawsuit against the clinic.
In December 2019, the Georgia high court ruled in favor of the patients. It would allow them to proceed with a lawsuit against the clinic resulting from the 2016 incident.
On September 21, the OCR notified the press that it has concluded its investigation of the HIPAA compliance practices of the Clinic. Athens Orthopedic has agreed to pay a penalty of $1.5 million to settle potential HIPAA violations. The clinic has also entered into a two-year corrective action plan with the department.
This agreement is the result of an OCR audit launched to investigate the 2016 data breach. The breach compromised the PHI of nearly 210,000 people. The hackers stole a colossal amount of patient data from the clinic, including names, telephone numbers, date-of-birth, social security numbers, medical data, and financial and billing information of the affected individuals.
Hackers gained access to Athens’s systems on June 14. The clinic became aware of the hacking incident on June 26, only after a journalist notified them that their database was posted online for sale. Later, the hacker group contacted Athens to demand a ransom. The clinic responded by identifying and terminating the credentials that the hacking group was using. But, it took them another few weeks to block the intruders and shut them out of their systems.
The hack lasted for about a month between June 14, 2016 and July 16, 2016.
The OCR investigation has revealed that there was longstanding and systemic non-compliance with HIPAA privacy, security, and breach notification rules across the organization.
The potential violations of the HIPAA security and privacy rules revealed by the investigation, include
- Failure to maintain copies of HIPAA policies and procedures. The corrective action plan lists several policies and procedures that need revision. It also lists new policies that the clinic must put in place.
- Failure to implement mechanisms that record and examine activities in information systems that handle ePHI.
- Failure to get in business associate agreements with its business associates. The OCR identified three such business associates during its investigation.
- Failure to train its workforce for HIPAA compliance.
- Failure to conduct risk assessment of its technology assets and information systems that contained or used ePHI.
- Failure to put in place security measures to reduce the risks and vulnerabilities to ePHI to a reasonable level.
The OCR also held Athens responsible for failing to prevent the data breach.
The corrective action plan signed between the OCR and Athens is quite extensive. Athens would need to carry out the changes mentioned in the CAP, and report them back to the OCR. Here are the key suggestions that you need to know about.
- Identify business associates, and sign business associate agreements with them.
- Athens must also appoint a person to overlook the process of identifying business associates, signing contracts, and updating the contracts, as necessary.
- Conduct a risk assessment of their assets and information systems that handle ePHI. The assessment should look at all possible risks and vulnerabilities in their systems. This includes creating an inventory of its IT assets.
- Develop a security management plan to mitigate the risks identified by the risk assessment.
- Create new policies as guided by the CAP document.
- Revise existing policies and procedures to meet HIPAA requirements.
- Update business associate policies and procedures.
- Distribute the new and revised policies to the workforce.
- Provide HIPAA training to everyone.
Under the agreement, Athens Orthopedic would need to review and revise its policies and procedures that relate to
- Access control,
- Password practices,
- Workforce training,
- Tracking user activity,
- Ensuring minimum access to users,
- Terminating user access as necessary, and
- Handling of suspicious account activity.
The updated access control policies and procedures need to cover access controls for
- Network and server equipment,
- Systems that contain PHI, and
- Software applications.
The new policies and procedures should ensure that the access to ePHI is limited to the minimum necessary.
Athens would need to follow the corrective action plan for two years. During the period, it needs to submit an annual CAP compliance report to the HHS. And, it must notify the HHS if an employee violates HIPAA policies or procedures.
The HHS can impose further penalties on Athens if the clinic breaches the CAP, or violates the HIPAA during this two-year period.
Some analysts believe that the heavy fine is a direct message from the OCR all covered entities. Covered entities need to take the responsibility of protecting patient information seriously. They must ensure that necessary safeguards are in place to foil any attempt to steal PHI.
The HIPAA Privacy and security rule have well-defined standards for the purpose. This includes standards that set limits and conditions over the use and disclosure of PHI. They also define what technical and administrative safeguards should be in place for protecting the confidentiality, integrity and availability of the information. The HIPAA Breach notification rule covers the standards for informing patients and authorities in case of a data breach.
The Athens Orthopedic breach was one of the 10 worst data breaches of 2016. About 32% of healthcare breaches that year were due to hacking/IT incidents. In 2019, this figure jumped up to about 60%. Hacking incidents accounted for 88% of healthcare records breached last year. Of the 249 breaches reported until June, 2020 149 are hacking related incidents.
It’s important that covered entities take HIPAA compliance seriously. Some of the most essential actions that must happen on your behalf include –
- Conducting employee training
- Signing business associate contracts with business associates
- Implementing two-factor authentication
- Limiting PHI access to minimum necessary
- Putting in place strong technical and administrative access control measures
- Documenting incidents
- Getting in business associate contracts
- Routine audits of your systems for HIPAA compliance
But, if you haven’t conducted a risk assessment of your healthcare organization yet, then doing it should be your top priority. The exercise would help you identify the risks and vulnerabilities that exist in your system. And it would help you write your security management plan. These are very important steps.
You can also use the HHS Security risk assessment tool for the purpose. The tool is designed to help small and medium-sized organizations. You can access the latest version of the tool on the Health IT website.
What are your views about the Athens Orthopedics HIPAA settlement? What steps could the clinic have taken to prevent the hacking incident from occurring? Share your views about this incident in the comments below.