Florida Pain Management Practice Slapped with $1.19 Million HIPAA Fine
When members of the workforce leave employment, access to electronic protected health information (ePHI) must be terminated immediately to ensure there can be no unauthorized access to ePHI. A Florida pain management medical practice discovered the hard way why termination procedures are so important and has been slapped with a $1.19 million civil monetary penalty (CMP).
Gulf Coast Pain Consultants, doing business as Clearway Pain Solutions Institute, retained an independent contractor on May 3, 2018, to provide business consulting services, and entered into a year-long contract that ran from May 8, 2018, to April 30, 2019. The contractorโs services required access to the electronic medical record (EMR) system. While the contract was due to run until April 2019, the contractor stopped providing services to Gulf Coast in August 2018. At that point, access to its EMR should have been terminated.
On three occasions after August 2018, the contractor accessed the EMR without authorization and viewed ePHI such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
The EMR was accessed between September 7, 2018, and February 3, 2019, and the unauthorized access was detected on February 20, 2019. On February 21, 2019, the contractorโs access was terminated. Golf Coast later learned that the contractor had generated claims for medical services that were not rendered, and around 6,500 false Medicare claims had been generated. The contractor was indicted for the false claims but was found not guilty.
Gulf Coast reported the breach to the HHS Office for Civil Rights (OCR) on April 5, 2019, and said up to 35,000 individualsโ ePHI was accessed without authorization. As is the case with all data breaches of 500 or more records, OCR launched an investigation to determine if Gulf Coast was compliant with the HIPAA Rules.
The OCR investigation revealed Gulf Coast had not implemented policies and procedures for regularly reviewing activity in information systems that contained ePHI prior to the data breach, in violation of 45 C.F.R. ยง164.308(a)(1)(ii)(D)ย of the HIPAA Security Rule. Gulf Coast had not implemented policies and procedures for terminating access to systems containing ePHI when access is no longer required by members of the workforce, in violation of 45 C.F.R. ยง164.308(a)(3)(ii)(c). HIPAA-compliant policies and procedures were not implemented until April 10, 2020.
Gulf Coast did not implement policies and procedures to establish, document, review, and modify a userโs right of access to a workstation, transaction, program, or process until April 15, 2020. OCR also determined that, prior to the breach, Gulf Coast had not conducted a thorough and accurate risk analysis, in violation of 45 C.F.R. ยงย 164.308(a)(ii)(A). The first HIPAA-compliant risk analysis was conducted on September 30, 2022. As a result of these failures, there was unauthorized access to the ePHI of approximately 34,310 patients.
Gulf Coast and OCR were unable to settle the alleged HIPAA Security Rule violations informally, so OCR proceeded to impose a civil monetary penalty. While evidence of mitigating factors was submitted, OCR determined they were insufficient to support a waiver of a civil monetary penalty. When OCR settles potential HIPAA violations informally, a settlement amount and a corrective action plan are agreed upon. When a civil monetary penalty is issued, OCR cannot compel the regulated entity to also agree to a corrective action plan.
โCurrent and former workforce can present threats to health care privacy and securityโrisking continuity of care and trust in our health care system,โ said OCR Director Melanie Fontes Rainer when announcing the civil monetary penalty. โEffective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.โ
Including this case, in 2024, OCR has imposed 6 civil monetary penalties on HIPAA-regulated entities for non-compliance with the HIPAA Rules, has settled alleged HIPAA Rule violations with 8 HIPAA-regulated entities, and has collected $8,465,781 in payments. This penalty is the second largest of 2024 behind the $4,750,000 settlement with Montefiore Medical Center.