HHS Resolution Agreement: Athens Orthopedic Clinic PA (July 7, 2020); HHS News Release (Sept. 21, 2020)
HHS’s Office for Civil Rights (OCR) has announced a $1.5 million settlement with a medical clinic to resolve potential violations of HIPAA’s privacy and security rules. After receiving an alert from a journalist, the clinic determined that a hacker had used a vendor’s credentials to access the clinic’s electronic medical record system and exfiltrate unsecured protected health information (PHI) of more than 208,000 individuals. The hacker continued to access the PHI—including demographic, clinical, and financial information—for more than a month and demanded money from the clinic in exchange for a complete copy of the stolen database without sale or further disclosure. OCR began its investigation after receiving the clinic’s breach notification report and discovered “longstanding, systemic noncompliance” with HIPAA’s privacy and security rules, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate contracts with multiple business associates, and provide privacy training to workforce members.
In addition to the settlement payment, the clinic agreed to an extensive corrective action plan (CAP). The CAP requires the clinic to conduct an enterprise-wide risk analysis and adopt a corresponding risk management plan, each subject to OCR review and approval. The clinic must also revise—subject to OCR approval—numerous policies and procedures, including those addressing access controls, activity logs, termination of user accounts, passwords, training, and breach notification. Policies and procedures for business associate contracts must also be revamped. The approved policies and procedures must be incorporated into proposed training materials that, following OCR approval, must be included in training sessions for all workforce members. New workforce members must be trained within 14 days after they start work. For a specified period, the clinic must submit periodic reports to OCR certifying compliance with the CAP.
EBIA Comment: This resolution agreement highlights vulnerabilities that can be introduced from outside a covered entity’s or business associate’s own operating environment. Notably, OCR repeatedly refers to the third party in this settlement as a vendor rather than a business associate, implying that although the third party did not have direct access to PHI, its credentials could be used to gain access. As noted in a recent cybersecurity advisory (see our Checkpoint article), proper network segmentation can help stop an intruder from gaining access to sensitive data by sneaking in a side door and then moving laterally within a network. The agreement also reinforces the importance of policies and procedures for business associate contracts—and reminds us that security safeguards should be considered even when vendors are not business associates. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXIV.B (“What Is a Business Associate?”), and XXX (“Core Security Requirements”). You may also be interested in our webinar “HIPAA Business Associate Contracts: Due Diligence, Upstream Liability, and More” (recorded on 8/27/20).
Contributing Editors: EBIA Staff.