HIPAA Security Rule Violations Settled by Clinical Laboratory with OCR for $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed that a HIPAA breach settlement has been agreed with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to settle a range of different violations of the HIPAA Security Rule.

A CLIA-certified laboratory, Peachstate offers a variety of services to its clients such as clinical and genetic testing services through its publicly traded parent group, AEON Global Health Corporation (AGHC).

OCR kicked off a compliance investigation on August 31, 2016 once a a breach of unsecured protected health information officially report to OCR by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had hired AHC to manage the VA’s Telehealth Services Program. The intention of the OCR investigation was to see it the breach occurred due to the failure to adhere with the HIPAA Privacy and Security Rules.

The investigation revealed that AHC had completed a reverse merger with Peachstate on January 27, 2016 and had purchased Peachstate. OCR then carried out a compliance review of Peachstate’s clinical laboratories to gauge Privacy and Security Rule compliance. One of the outcomes of that investigation was OCR discovering a number of possible breaches of the HIPAA Security Rule.

Peachstate was found not to have completed an “accurate and thorough assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and had failed to reduce risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as required by 45 C.F.R. § 164.308(a)(1)(ii)(B).”

Hardware, software, and procedural mechanisms had not been put in place to track and examine activity in information systems that were holding or implementing ePHI, in breach of 45 C.F. R. § 164.312(b). Policies and procedures had not been configured to track actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate committed to settle the case with the payment of a $25,000 fine penalty and will configure an in depth corrective action plan to address all areas of noncompliance listed by OCR during the course of the investigation. Peachstate will be closely policed by OCR for 3 years to ensure compliance.

Robinsue Frohboese, Acting OCR Director said: “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information. This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”