Hipaa Resolution Agreements
In a remarkable transaction for the combination of the payment amount and the type of supplier concerned, the OCR announced on 21 September 2020 an agreement with the Athens Orthopedic Clinic PA (“Athens Orthopedic”). The settlement agreement resolved the alleged HIPAA violations that were discovered after Athens Orthopedic, a covered company, suffered a data breach. After a quiet first half due to COVID-19 and related factors, the Office of Civil Rights (OCR) is back on the road in The Health and HumanIties Services (HHS) by entering into settlement agreements for HIPAA`s privacy and security breaches. In September, there were eight separate resolutions, which is probably a new record, but they continued to resolve these important issues during the last month of October. On September 21, 2020, the OCR announced that the Orthopaedic Clinic in Athens has agreed to pay $1.5 million to the OCR and to adopt a corrective plan to combat possible violations of HIPAA`s privacy and security rules. On 26 June 2016, a journalist announced in Athens that a database containing medical records had been put online in Athens. On June 28, 2016, a hacker contacted Athens to ask for money in exchange for a full copy of the database he had stolen. Athens found that for more than a month, the hacker accessed the organization`s electronic medical records system and exfiltrated patient health data. Athens filed a complaint for violation of the OCR that 208,557 people were affected by this violation.
The OCR investigation showed that HIPAA`s protection and safety rules have not been consistently followed for a long time, including risk analysis, implementation of risk management and audit controls, maintenance of HIPAA policies and procedures, guaranteeing cooperation agreements with several trading partners, and providing data protection rules for employees. A settlement agreement is a settlement agreement signed by HHS and a covered entity or counterparty, in which the covered entity or counterparty agrees to fulfill certain obligations and to establish HHS reports over a three-year period. During the period, HHS monitors compliance with commitments by the registered entity. A settlement agreement may include the payment of a settlement amount. If HHS is unable to obtain a satisfactory solution through compliance or corrective actions demonstrated by the entity covered by other informal means, including a settlement agreement, civil law fines (CMPs) may be imposed on a company covered for non-compliance.