HIPAA Security Rule Violations Lead to $25,000 Settlement between Clinical Laboratory & OCR

The Department of Health and Human Services’ Office for Civil Rights (OCR) says a $25,000 HIPAA settlement has been agreed with Peachstate Health Management, LLC, dba AEON Clinical Laboratories, that resolves a HIPAA case involving several HIPAA Security Rule violations.

CLIA-certified laboratory, Peachstate, supplies a variety of different services to HIPAA-covered entities, including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

Speaking about the breach, Robinsue Frohboese, Acting OCR Director said: “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information. This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

OCR initiated a review into a breach on August 31, 2016 that was reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015. The breach involved the group’s business associate, Authentidate Holding Corporation (AHC). The VA had hired AHC to oversee the VA’s Telehealth Services Program.

The OCR investigation sought to discover if the data breach had occurred due to the failure to comply with the HIPAA Privacy and Security Rules. During the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had acquired Peachstate.

OCR then took the decision to conduct a compliance review of Peachstate’s clinical laboratories to assess compliance with the HIPAA Privacy and Security Rules. The auditors discovered a number of possible breaches of the HIPAA Security Rule.

Peachstate had not completed an appropriate risk assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and did not mitigate risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as necessary under 45 C.F.R. § 164.308(a)(1)(ii)(B).

There were a lack of audit controls concerning the collection and reviewing of logs of activity in information systems containing or using ePHI, in violation of 45 C.F. R. § 164.312(b). Policies and procedures had not been documented to record actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate agreed to settle the case by paying a $25,000 penalty and adopting and extensive corrective action plan to fix all areas of noncompliance. Peachstate will also be closely monitored by OCR for HIPAA Security Rule compliance for 3 years from the date of the resolution agreement.

Author: Maria Perez