Systemic Noncompliance

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The story narrative varies slightly from episode to episode, but the outcome is generally the same. Pay a fine, make a plan, regret not doing this all in the first place. This isn’t some soap opera or Netflix binge-worthy series; this is real life and the characters are the healthcare industry and Office for Civil Rights (OCR).

Recently we find Athens Orthopedic Clinic PA agreeing to pay $1.5 million in fines and agreeing to adopt a corrective action plan to settle their 2016 violation which exposed patient records. They had been contacted by a hacker demanding ransom money in return for the stolen database. This cybercriminal had used a vendor’s credentials to access to electronic medical record system and obtain the database of protected health information (PHI). This access continued for a month until July 16, 2016.

At the end of that month, Athens Orthopedic filed a breach report that alerted the OCR of 208,557 individuals being affected by this data breach. The information accessed included patient names, birthdates, social security numbers, medical procedures, health insurance information, and the results of medical testing.

The resulting investigation uncovered a long history of systemic noncompliance with HIPAA Privacy and Security Rules. It was revealed that Athens Orthopedic had failed to conduct any risk analysis or implement any type of risk or audit controls. There was no securement of business associate agreements (which included multiple business associates), maintenance of HIPAA policies and procedures, nor was there any HIPAA Privacy Rule training to their team.

Ending shocker (or not): They had to pay a fine and implement a corrective action plan.

What is Systemic Noncompliance?
Athens Orthopedic isn’t the only healthcare agency to have systemic non-compliance within its organization or business walls. This means that it can be assumed that other providers have had violations of documented regulations from the OCR. These repeat defects provide hackers with ample opportunity to gain access and are the weakest links when it comes to an already threatened industry.

Corrective action needs to be taken NOW, not when it is too late, or is coupled with the hefty fine that is inevitably put upon these businesses.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE