The Office of Civil Rights, after showing a ridiculously un-enforced year, surprised all but those close with three announced corrective action plans last week totaling $10.65M.
The first, announced on September 21st, was a $1.5M corrective action plan with Athens Orthopedic Clinic of Georgia. Athens Orthopedic Clinic was hacked in 2016 and their ePHI database was posted online for sale. OCR noted a "...longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules...". In addition to the monetary settlement, Athens Orthopedic Clinic is also agreed to a two year corrective action plan.
A September 23rd announced settlement is with CHSPSC, LLC, a HIPAA Business Associate providing information technology and health information management services. CHSPSC was entered into a two year corrective action plan and has agreed to pay $2.3M after breaching more than six million patients worth of ePHI. Again, OCR noted a "...longstanding, systemic noncompliance with the HIPAA Security Rule...".
The last settlement was announced on September 25th with the health insurer Premera Blue Cross. Premera has agreed to pay $6.85M and enter into a two year corrective action plan for "...systemic noncompliance with the HIPAA Rules..." which resulted in the compromise of 10.4M patient records.
What's most-distressing-but-not-surprising is the common behavior that we continue to see from healthcare organizations large and small: employ information services and some kind of security controls, but without addressing the basic program elements of a HIPAA program. Although a fair amount of work to deploy, the HIPAA Security Rule controls are basic and well below a more stringent framework like NIST CSP or ISO27001. It's worth mentioning (again) that criminals aren't twenty-somethings that live in their parent's basement; they are professional organizations committed to a criminal activity, just as we are professional organizations committed to positive healthcare outcomes.
Read more about the settlements below:
Stay (HIPAA) safe,