October 24, 2020

Volume X, Number 298

Advertisement

October 23, 2020

Subscribe to Latest Legal News and Analysis

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

OCR Settles with Orthopedic Clinic for $1.5 Million for Alleged HIPAA Noncompliance

On September 21, 2020, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules.

The penalty followed an OCR investigation into a July 2016 data breach reported by Athens Orthopedic in which hackers gained access to its systems using third-party vendor credentials and exfiltrated protected health information (“PHI”). The records of 208,557 patients were stolen and posted online, including names, dates of birth, Social Security numbers, medical procedure details, test results, billing information and health insurance information.

OCR’s investigation found that Athens Orthopedic was in longstanding noncompliance with the HIPAA Privacy and Security Rules, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements and provide HIPAA Privacy Rule training to workforce members. Under the terms of OCR’s resolution agreement, Athens Orthopedic must adopt a corrective action plan that includes two years of monitoring.

“Hacking is the number one source of large health care data breaches,” said OCR Director Roger Severino. “Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers.”

 

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 268
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement