Years of ignoring HIPAA brought about a tough result from regulators.
An unusually harsh settlement for potential HIPAA violations includes a $25,000 fine and three years of follow-up monitoring under a Corrective Action Plan. The corrective action plan includes close attention from the Office of Civil Rights (OCR) regulators, with annual reports and review. Most settlements include two years of follow-up.
Peachstate Health Management, LLC dba AEON Clinical Laboratories, a lab that was purchased by another company under investigation for HIPAA violations, ended up being investigated also. The Office for Civil Rights (OCR), the agency that enforces HIPAA, found multiple violations of the Security Rule at Peachstate and brought down the hammer.
The Georgia-based lab is certified under the Clinical Laboratory Improvement Amendments (CLIA) and provides diagnostic clinical and genetic testing services. In December 2017, OCR began a compliance review of Peachstate to determine the company’s compliance with the HIPAA Privacy and Security Rules. This review found that Peachstate engaged in systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis; to implement risk management and audit controls; and to maintain documentation of HIPAA Security Rule policies and procedures.
Hardware, software, and procedural mechanisms had not been implemented to record and examine activity in information systems containing or using ePHI (electronic protected health information) and policies and procedures had not been implemented to record actions, activities, and assessments required by the HIPAA Security Rule.
Commenting on the settlement, acting OCR Director Robinsue Frohboese said:
“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information…” (italics added for emphasis)
While we do not know the details of the three and a half years of investigation into Peachstate’s potential HIPAA violations, we do know that OCR routinely offers technical assistance to organizations who are being investigated. If the technical assistance is not accepted or used, the end result can be harsher.
If you face investigation, pay close attention, respond promptly, and accept technical assistance if offered.
If you want to get your house in order before the hammer comes down, contact The HIPAA E-Tool®.