The Athens Orthopedic Clinic has agreed to pay $1.5 million and comply with a corrective action plan in order to resolve allegations of multiple HIPAA violations made against the clinic by HHS’ Office for Civil Rights.
In June 2016, a journalist working for www.databreaches.net alerted the Athens Orthopedic Clinic that a database of the clinic’s patient records was being advertised for sale online. It was determined that a hacker group had obtained a business associate’s credentials to the clinic’s system and used the credentials to access 208,557 patient records.
Due to the number of applications that the hackers accessed, a variety of Protected Health Information (PHI) was exposed including patient names, dates of birth, social security numbers, clinical information, and financial/billing information. The data breach was notified to HHS’ Office for Civil Rights (OCR) in July 2020.
OCR’s investigation found multiple violations of HIPAA including the requirement to prevent unauthorized access to PHI, the requirement to conduct an accurate and thorough risk assessment, and the requirement to implement security measures sufficient to reduce risks to a reasonable and appropriate level.
However, possibly the most surprising of the clinic’s compliance failures was the failure to provide HIPAA training to members of the workforce until January 2018 – more than a year and a half after the data breach was identified. The failure not only related to Security Rule training, but also Privacy Rule training.
Resolution Agreement Include Comprehensive Training Requirements
As well as paying $1.5 million to settle the alleged violations of HIPAA. The Athen Orthopedic Clinic must comply with a corrective action plan that requires the clinic to conduct a thorough risk assessment, develop polices and implement safeguards to minimize risks and vulnerabilities, and train members of the workforce on the policies.
The training requirement is comprehensive as, prior to providing any HIPAA training, the clinic must submit its proposed training materials to OCR for approval. Once the materials are approved, training must be provided to all workforce members within 30 days (New hires must be trained within 14 days and before they have any access to systems maintaining PHI).
All the materials used for the provision of training must be reviewed at least annually, while ongoing training must be d “routinely” (no exact frequency is specified in the resolution agreement). IN addition, all HIPAA violations by members of the workforce must be reported to OCR along with details of the actions taken by the clinic.
The term of the corrective action plan is initially two years. However, OCR has the authority to extend the plan for any length of time should the clinic breach the terms of the corrective action plan or fail to resolve the compliance issues that were identified in OCR’s investigation.