top of page

Three OCR Settlements In One Week!

The Office of Civil Rights, after showing a ridiculously un-enforced year, surprised all but those close with three announced corrective action plans last week totaling $10.65M.

The first, announced on September 21st, was a $1.5M corrective action plan with Athens Orthopedic Clinic of Georgia. Athens Orthopedic Clinic was hacked in 2016 and their ePHI database was posted online for sale. OCR noted a "...longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules...". In addition to the monetary settlement, Athens Orthopedic Clinic is also agreed to a two year corrective action plan.

A September 23rd announced settlement is with CHSPSC, LLC, a HIPAA Business Associate providing information technology and health information management services. CHSPSC was entered into a two year corrective action plan and has agreed to pay $2.3M after breaching more than six million patients worth of ePHI. Again, OCR noted a "...longstanding, systemic noncompliance with the HIPAA Security Rule...".

The last settlement was announced on September 25th with the health insurer Premera Blue Cross. Premera has agreed to pay $6.85M and enter into a two year corrective action plan for "...systemic noncompliance with the HIPAA Rules..." which resulted in the compromise of 10.4M patient records.

What's most-distressing-but-not-surprising is the common behavior that we continue to see from healthcare organizations large and small: employ information services and some kind of security controls, but without addressing the basic program elements of a HIPAA program. Although a fair amount of work to deploy, the HIPAA Security Rule controls are basic and well below a more stringent framework like NIST CSP or ISO27001. It's worth mentioning (again) that criminals aren't twenty-somethings that live in their parent's basement; they are professional organizations committed to a criminal activity, just as we are professional organizations committed to positive healthcare outcomes.

Read more about the settlements below:

Stay (HIPAA) safe,

Alan -

13 views0 comments


bottom of page