BeCyberSmart Think Before You ClickOur commitment to include #BeCyberSmart each week this month did not anticipate that OCR would set a record for resolution announcements in September. This week we give you info to plan for next week’s activities for NCSAM plus a review of the Athens Orthopedic resolution agreement. A lot to cover!


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Athens Ortho Settlement + NCSAM Week 2 – Ep 275

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

NCSAM Week 2: Securing Devices at Home and Work

[05:34]Beginning Oct 12, Week 2 of NCSAM brings in the importance of securing things at home as well as work. The point in the Champion guide for this week that really captured my attention was this one:

Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of.

Teleworking guidance from CISA: Telework Guidance and Resources

IoT tip sheet from CISA: DHS NCSAM 2019 – Social Media Cybersecurity. This one can be helpful this week and again next week when talking about healthcare specifically. It is not David’s version ID IoT tip sheet though!


On the Cybersecurity Alliance site you can sign up for the Gone Phishing Tournament 2020 which will send a free phishing test to your team.  This is a unique opportunity. They will be using the same phishing template for everyone that signs up. That will allow them to provide your click rate as well as how other organizations like yours scored. Good news, or even bad news, there will be very valuable information to submit to your leadership.

BeCyberSmart WI-FI Is Not Secure

Webinars for NCSAM Week 2

[11:07]This week has several very good webinars to share around your organization and even your vendors. You can sign up with the links below:

Date & Time


October 13th 1pm CDT / 2pm EDT Tips to avoid today’s cyber threats
October 13th 2pm EDT Smart Devices Need Smart Security: Securing Your Business in an Internet of Everything World
October 14th 1pm 5 Reasons Why Software Security is More Critical Than Ever
October 15th 2pm Cybersecurity in A Flash: Virtual Small Business Cybersecurity Summit

This last webinar planned looks very interesting and different. Here is the description:

The 2020 Small Business Cybersecurity Summit is a 3-hour virtual workshop showcasing information and resources that small & medium-sized businesses can put into action to improve their security. What makes it flashy? The majority of the event will be presented in a flash talk format (each speaker will only have 5 minutes and 1 slide to communicate technical concepts to a non-technical audience). Can it be done? Yes. Will it be done? Yes. Join us to see how! In addition to the flash talk series, we’ll kick off with a live-streamed fireside chat discussing the current state of small business cybersecurity, and will conclude the event with a live Q&A session with experts and exhibitor demos.

There are 12 of those flash talks planned along with an opening session and a closing session.

BeCyberSmart Think Before You Click

These options along with your Cybersecurity Champion fliers and the other tools we already gave you provides you with a lot of variety to share with the different teams in your organization. Even share some of them on social media and with your family. This educational stuff is for everyone not just those at work.

Athens Orthopedic Clinic Settlement

[16:29]I kept expecting to see this one come through earlier this year. It is right down the road from here after all. You do hear things around the virtual water cooler, so to speak. We have been discussing this one on the podcast since it made a very public splash in 2016. The OCR findings are pretty specific as well as the CAP so let’s get to it.

The big statement in the press release includes a paragraph preceding the obligatory quote from the Director that we always see:

OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.OCR Press Release

We just discussed the interview with Noonan that stated clearly they would look for cases with “longstanding, systemic noncompliance” for their enforcement. This one did drag on since 2016 but a lot happened in those years when it comes to the work and time the investigation required.

Here is what happened as defined by the resolution agreement findings, just to catch everyone up.

On June 26, 2016, a journalist from “” notified AOC that “a database of patient records” suspected to belong to AOC was posted online for sale. On June 28, 2016, a hacker group known as “The Dark Overlord” contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure. It was determined, through computer forensic analysis, that the Dark Overlord had obtained a vendor’s credentials to AOC’s system and used them to gain access on June 14, 2016. While AOC terminated the compromised credentials on June 27, 2016, the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.

It was determined that 208,557 individuals were affected by this breach. Due to the breadth of system applications affected, a variety of protected health information (PHI) was exposed including patient demographic information (name, date of birth, social security number, etc.), clinical information (reason for visit, “social history,” medications, test results, medical procedures, etc.), and financial/billing information (health insurance information, payment history).

[28:23]Here is the list of “potential violations” they found. Since this is a resolution agreement the CE doesn’t admit that they did these things they just agree to make sure they never do these things to resolve the issue and make it go away.

  • The requirement to prevent unauthorized access to the ePHI of 208,557 individuals whose information was maintained in AOC’s information systems.
  • Until August 2016, the requirement to maintain copies of AOC’s HIPAA policies and procedures.
  • From September 30, 2015 to December 15, 2016, the requirement to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  • Until August 7, 2017, the requirement to enter into business associate agreements with three of its business associates, Quest Records LLC, Total Technology Solutions, and SRS Software LLC.
  • Until January 15, 2018, the requirement to provide its entire workforce with HIPAA training.
  • The requirement to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by AOC.
  • The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

In addition to the settlement payment to OCR (and all the experts and attorneys involved over the last 4 years) they are going on a 2-year corrective action plan that includes many of those specifics we have seen recently.

Business Associates

Within sixty (60) days of the Effective Date and annually following the Effective Date, AOC shall review all relationships with vendors and third party service providers to identify business associates. AOC shall provide HHS with the following:

a. An accounting of AOC’s business associates, to include the names of business associates, a description of services provided, the date services began, and a description of the business associate’s handling of/interaction with AOC’s PHI; and

b. Copies of the business associate agreements that AOC maintains with each business associate.

I can not tell you the number of times we hear from clients how they don’t need to review all their vendors; they just need to worry about the ones they know are BAs. Now, you see why we make sure we ask for the entire list and compare to the BAAs they have on file.

Risk Analysis and Management

AOC shall conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by AOC or its affiliates that are owned, controlled or managed by AOC that contain, store, transmit or receive AOC ePHI. As part of this process, AOC shall develop a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis.

Then you have the approval loop until OCR signs off on the SRA.

Within sixty (60) calendar days of HHS’s approval of the Risk Analysis, AOC shall develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision. The plan shall be forwarded to HHS for its review.

And another loop for OCR approval begins. Before making a clear point about the SRA one more time. How often do we hear folks say they only need to do one every 2 or 3 years still? Looks like that just will not cut it any longer.

AOC shall annually conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by AOC, affiliates that are owned, controlled, or managed by AOC, and its engaged business associates, and document the security measures AOC implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. Subsequent risk analyses and corresponding management plans shall be submitted for review by HHS in the same manner as described in this section until the conclusion of the CAP. Revisions to policies and procedures in this section shall be made pursuant to Section V.D.5 below.

Policies & Procedures

This section includes a specific list not just one or two things that must be done as we just saw in the 5 patient access resolutions.

CAP Policies and Procedures Requirements
AOC’s policies and procedures shall include, but not be limited to, the minimum content set forth in Paragraph V.E below. Additionally, in light of OCR’s investigation, particular revision is required to AOC’s policies and procedures relating to:

  • Technical access controls for any and all network/server equipment and systems to prevent impermissible access and disclosure of ePHI,
  • Technical access control and restriction for all software applications that contain ePHI to ensure authorized access is limited to the minimum amount necessary,
  • Technical mechanisms to create access and activity logs as well as administrative procedures to routinely review logs for suspicious events and respond appropriately,
  • Termination of user accounts when necessary and appropriate,
  • Appropriate configuration of user accounts to comply with the Minimum Necessary Rule,
  • Required and routine password changes,
  • Password strength and safeguarding,
  • Addressing and documenting security incidents,
  • Conducting routine, accurate, and thorough risk analyses and implementing corresponding security measures to sufficiently reduce identified risks and vulnerabilities to a reasonable and appropriate level,
  • Workforce training,
  • Documentation of workforce training,
  • Identification of business associates,
  • Engaging in compliant business associate agreements,
  • Breach notification content requirements.

Am I shocked by that list? No. Also not shocked that there is more.

CAP BA & BAA Requirements

AOC shall revise its Business Associate & Business Associate Agreement policies and procedures to:

  1. designate one or more individual(s) who are responsible for ensuring that AOC enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to AOC disclosing protected health information (PHI) to the business associate;
  2. create a process for assessing AOCs current and future business relationships to determine whether each relationship is with a “business associate,” as that term is defined under the HIPAA Rules, and requires AOC to enter into a business associate agreement;
  3. create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates;
  1. create a standard template business associate agreement;
  2. create a process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of when the business associate relationship is terminated; and
  3. limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.

Then it is the normal process we see in settlements that say you need to review and modify your policies and procedures as needed. Follow that will the implementation and training required to make sure the workforce knows what they are supposed to be doing.

After all of that, though, this part that comes next was pretty interesting to see added in here.

CAP Specific Policies and Procedures Requirements
The Policies and Procedures shall include measures to address the following Privacy and Security Provisions:

Privacy Rule Provisions:

1. Uses and Disclosures of PHI – 45 CFR § 164.502(a)

2. Minimum Necessary – 45 CFR § 164.502(b)

3. Disclosures to Business Associates- 45 C.F.R. § 164.502(e)(1)

4. Training – 45 C.F.R. § 164.530(b)(1)

5. Safeguards – 45 C.F.R. § 164.530(c)(1)

6. Changes to Policies and Procedures – 45 C.F.R. § 164.530(i)(2)

Security Rule Provisions:

7. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b).

8. Physical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.310.

9. Technical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.312.

Breach Notification Rule Provisions:

10. Notification to Individuals, including all required and addressable implementation specifications – 45 C.F.R. § 164.404.

11. Notification to the Media, including all required and addressable implementation specifications – 45 C.F.R. § 164.406.

12. Notification to the Secretary of HHS, including all required and addressable implementation specifications – 45 C.F.R. § 164.408.

After this it gets into the normal stuff we see for training, incidents, etc. As we get more of these specific CAP details the reasons to follow exactly what they see keep adding up. If you haven’t taken the time to review them with your team, don’t keep putting it off.

Yes there is a lot to unpack here.

First, #BeCyberSmart! Share this information with colleagues, friends, family and the community.

Second, pay attention to what is going on around you. If you aren’t taking care of your HIPAA obligations there are clear messages that it will not be acceptable excuses when you get caught. At the rate of 28,000 complaints per year and hundreds of data breaches, it is just a matter of time before you will be caught up in something that exposes your lack of commitment to protecting the privacy of your patient information.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.