A Georgia-based clinical laboratory recently agreed to pay $25,000 to The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
That rule establishes national standards to protect individuals’ electronic personal health information (PHI) that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
According to the settlement agreement, Peachstate Health Management, LLC, dba AEON Clinical Laboratories, which provides clinical and genetic testing services, mostly through its parent company AEON Global Health Corp., failed to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.
According to the agency, the investigation dates back to January 2015, when the U.S. Department of Veterans Affairs reported a breach of unsecured protected health information involving the VA’s Telehealth Services Program managed by its business associate, Authentidate Holding Corporation (AHC). OCR initiated a review to determine AHC’s compliance with privacy and security rules.
During that review, OCR learned that AHC and Peachstate had entered into a reverse merger, whereby AHC acquired Peachstate. That led OCR to open a compliance review into Peachstate, during which it says it found that Peachstate failed to do the following:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by Peachstate.
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level identified in its risk analysis or assessment.
- Failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
- Failed to maintain policies and procedures required under HIPAA.
In addition to paying the $25,000, Peachstate also agreed to implement a corrective action plan. Among other things, the plan requires a comprehensive, enterprise-wide risk analysis of the security threats and vulnerabilities of all electronic PHI created, received, maintained or transmitted by Peachstate. The company also must develop and implement a risk management plan, as well as develop, maintain and revise its written policies and procedures relating to the protection of patients’ identifiable health information. OCR will monitor Peachstate to ensure compliance with the corrective action plan for three years.
As we have been writing about, OCR is serious about HIPAA violations. More recently, OCR has been going after providers who violate HIPAA’s Right of Access Requirement, which requires providers to give patients access to their health records upon request and for a reasonable fee. As of March, OCR settled 18 Right of Access cases.
The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to firstname.lastname@example.org and let’s discuss how we might be able to assist you.