An orthopedic clinic in Georgia has agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential HIPAA violations the government said amounted to systemic noncompliance.1 The clinic serves about 138,000 patients per year, and it is significant that OCR came down hard on a relatively small player.

A reporter contacted the clinic to inform staff that a database of patient records may have been placed online for sale. Shortly thereafter, a hacker contacted the clinic demanding ransom in exchange for a complete copy of the stolen records. Clinic staff learned the hacker used a vendor’s credentials to steal the information. In its breach report, the clinic noted more than 208,000 patients were affected.

“OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules,” OCR reported. Those included “failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”

The growing risk of cyberattacks may have caught up with the clinic, says Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA. The original incident occurred in 2016, but the parties settled this year.

“This case goes back a few years, so maybe scope of the risk from an outside cyberattack wasn’t quite as appreciated as it would be now,” Fisher offers. “Nevertheless, this is consistent with cases where we see an incident that gets OCR’s attention, and then there is broader noncompliance in the background. No risk analysis is very bad from the government’s perspective, given all the clear guidance provided. If you’re not doing that, there is going to be a lot of unhappiness with your operations.”

It also is important to take cyberattacks seriously and respond quickly. It appears the Georgia clinic may not have acted swiftly. The clinic also may not have been monitoring online sites for data stolen from its system, since a reporter alerted the clinic to the problem.

“The lesson is you always have to be monitoring your systems and doing what you can to figure out what’s been going on,” Fisher stresses. “You don’t want to be in that scenario where you’re relying on someone else to tell you your system has been compromised.”

This case demonstrates how HIPAA is one of the rare laws where one earns credit just for trying, says Mark R. Ustin, JD, partner with Farrell Fritz in Albany, NY. It is the failure to make that minimum effort that lands covered entities in trouble, he says.

“The things that got them in trouble are all the very basic things, whereas in a lot of other legal situations you can run afoul of complicated requirements that can trip up anyone,” Ustin explains. “This was all extremely avoidable. Someone might ask how OCR is holding them responsible for someone hacking into their system and stealing data. When you look at their obligations and what they failed to do, it becomes clearer why this penalty was applied.”

Systemic noncompliance only comes into play when a covered entity has failed to take the most basic measures to comply with HIPAA, usually over time. It is not a charge that comes from merely overlooking one detail of the requirements.

Unfortunately, systemic noncompliance is not uncommon, Ustin says. In some cases, entities do not realize their data are subject to HIPAA requirements, such as when business associates fail to protect PHI. “Once that happens, that is when you’ve opened the door to having a systemic problem,” Ustin adds.

The central OCR finding regarding the clinic’s breach was “longstanding systemic noncompliance,” notes Sarah E. Coyne, JD, partner with Quarles & Brady in Madison, WI. The term “systemic noncompliance” has become something of an OCR buzzword, she says.

The entity had violated multiple parameters of HIPAA for a long time, including those that are focus areas for OCR (e.g., the requirements for risk analysis, audit controls, and business associate agreements).

“Although there is enforcement discretion currently in play regarding telehealth-related disclosures until the end of the national public health emergency, OCR is not hesitating to bring down the hammer in other circumstances,” Coyne says. “In addition to its vigorous enforcement of the right to access standard, OCR has had it with longstanding widespread noncompliance. This case shows us that the penalties are not reserved for large health systems only.”

When OCR receives a breach report involving 500 or more individuals, the agency is obligated to investigate, Coyne says. It looked into the breach that was reported, but this case illustrates how OCR also will explore the past, regardless of whether that is directly related to the current breach.

“The [Georgia] case also teaches us that OCR views hacking through a lens of whether the covered entity did enough to guard against it,” Coyne says. “Specifically, if an entity is hacked, it should be able to demonstrate compliance with the privacy and security rules through audits, risk analyses, updated policies, and training.”

To guard against enforcement actions, hospitals should evaluate their policies to ensure they are up to date. Perhaps even more importantly, hospitals should examine all their vendor contracts and ensure there are business associate agreements in place. Business associates must be aware of their own direct responsibility under HIPAA, and they must put their own policies and training in place.

“The risk analysis is not theoretical. It is required, and it is a big deal for OCR,” Coyne says. “Hospitals should ensure they are doing regular and proper risk analyses, which may require third-party contractors to do a full gap analysis, and then it is vital to address the deficiencies identified.”

The settlement with the clinic was the ninth settlement of an alleged HIPAA violation this year, and the OCR has since settled four more investigations, notes Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix. This one is particularly noteworthy, she says, because patient records were made publicly available online for sale, a journalist discovered the issue, and the records contained sensitive information, including Social Security numbers, medical procedures, and test results.

“No doubt this made for a bad combination in the eyes of OCR. Like many other providers subject to an OCR investigation, the clinic didn’t fare well, particularly on the security side,” Dunlap says. “The HIPAA Security Rule has been around for almost 20 years and is intended to be flexible based on the size of the organization. However, healthcare providers, particularly smaller ones, are still lagging and lacking from a security standpoint, as cyber risks are on the rise.”

The risk analysis, which can be conducted internally or by an outside vendor, is the critical first step in meeting the HIPAA security requirements, Dunlap says. If an organization is subject to HIPAA and has never performed and documented a risk analysis, it is important to complete one.

If resources are limited, Dunlap advises using the Security Risk Assessment tool provided by OCR.2 Prepare a corresponding risk management plan for correcting or mitigating the risks that were identified in the risk analysis.

“Those two steps, even if imperfect, will help any organization if they are hit with an OCR investigation. In fact, OCR almost always requests those two documents ... even if the incident that triggered the review did not involve a security issue,” Dunlap says.

Dunlap notes the Georgia clinic is now subject to a two-year corrective action plan (CAP) as part of its resolution agreement with OCR. “Not surprisingly, one of the first tasks under the CAP is to perform a risk analysis, and OCR is overseeing that process,” she says. “It’s certainly better to get it done before the government comes knocking.”

REFERENCES

  1. HHS.gov. Orthopedic clinic pays $1.5 million to settle systemic noncompliance with HIPAA rules. Sept. 21, 2020.
  2. HealthIT.gov. Security Risk Assessment Tool. Content last reviewed Sept. 14, 2020.