The story narrative varies slightly from episode to episode, but the outcome is generally the same. Pay a fine, make a plan, regret not doing this all in the first place. This isn’t some soap opera or Netflix binge-worthy series; this is real life and the characters are the healthcare industry and Office for Civil Rights (OCR).
Recently we find Athens Orthopedic Clinic PA agreeing to pay $1.5 million in fines and agreeing to adopt a corrective action plan to settle their 2016 violation which exposed patient records. They had been contacted by a hacker demanding ransom money in return for the stolen database. This cybercriminal had used a vendor’s credentials to access to electronic medical record system and obtain the database of protected health information (PHI). This access continued for a month until July 16, 2016.
At the end of that month, Athens Orthopedic filed a breach report that alerted the OCR of 208,557 individuals being affected by this data breach. The information accessed included patient names, birthdates, social security numbers, medical procedures, health insurance information, and the results of medical testing.
The resulting investigation uncovered a long history of systemic noncompliance with HIPAA Privacy and Security Rules. It was revealed that Athens Orthopedic had failed to conduct any risk analysis or implement any type of risk or audit controls. There was no securement of business associate agreements (which included multiple business associates), maintenance of HIPAA policies and procedures, nor was there any HIPAA Privacy Rule training to their team.
Ending shocker (or not): They had to pay a fine and implement a corrective action plan.
What is Systemic Noncompliance?
Athens Orthopedic isn’t the only healthcare agency to have systemic non-compliance within its organization or business walls. This means that it can be assumed that other providers have had violations of documented regulations from the OCR. These repeat defects provide hackers with ample opportunity to gain access and are the weakest links when it comes to an already threatened industry.
Corrective action needs to be taken NOW, not when it is too late, or is coupled with the hefty fine that is inevitably put upon these businesses.