An insider breach can be costly.

The Office for Civil Rights (OCR) imposed a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Clearway Pain Solutions) in Florida for alleged HIPAA violations. The penalty followed an investigation triggered by the pain management clinic’s breach report in 2019.

The HIPAA Investigation

OCR initiated the investigation after receiving the breach report, which noted that a former contractor had impermissibly accessed Clearway Pain Solutions’ electronic medical record (EMR) system to retrieve patients’ protected health information (PHI).

OCR’s investigation found that the contractor had accessed Clearway Pain Solutions’ EMR three times, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

Clearway Pain Solutions reported that the contractor was retained in May 2018 to provide business consulting services and stopped providing those services in August 2018.

However, in February 2019, Clearway Pain Solutions discovered the former contractor continued to access its electronic medical records to retrieve patients’ PHI for use in potentially fraudulent Medicare claims. Upon the discovery, Clearway Pain Solutions terminated the contractor’s access.

OCR found four violations of the HIPAA Security Rule by Clearway Pain Solutions, including failures to:

• conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI) in its systems;
• implement procedures to regularly review records of activity in information systems;
• implement procedures to terminate former workforce members’ access to ePHI; and
• implement procedures for establishing and modifying workforce members’ access to information systems.

OCR issued a notice of proposed determination in August 2024, informing Clearway Pain Solutions that the agency would impose a civil monetary penalty. The pain management clinic waived its right to a hearing and did not contest OCR’s findings. OCR issued its notice of final determination to Clearway Pain Solutions in September.

Insider Breach Threat is Growing

Insider breach continues to threaten healthcare, more so than other sectors. The Verizon 2024 Data Breach Investigations Report noted that in healthcare, during the period studied, 70% of the threat actors were insiders, while 30% were external, compared to the financial and insurance industry, where the statistics are reversed: 31% of the threat actors were insiders, and 69% were external.

Follow the HIPAA Security Rule

OCR Director Melanie Fontes Rainer emphasized the importance of compliance with the HIPAA Security Rule.

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system. Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

Risk Analysis is Central to HIPAA Compliance

OCR recommends that covered entities and business associates take the following steps to mitigate or prevent cyber threats:

• Integrate risk analysis and risk management into business processes.
• Implement regular review of information system activity.
• Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
• Implement procedures for modifying a user’s right of access to a workstation, transaction, program, or process, or an alternative equivalent measure.

Workforce training is also essential to deter theft. Training should underscore the importance of compliance and communicate the sanctions for noncompliance.

The HIPAA E-Tool^® Strengthens Compliance

The HIPAA E-Tool^® contains everything required for robust HIPAA compliance for covered entities and business associates, with separate editions for both.

Policies for the Privacy, Security, and Breach Notification Rules are included, along with a Risk Analysis module, the Security Rule checklist, HIPAA training, HIPAA Audit guidance, and business associate management.