Multiple HIPAA Security Rule Failures Result in $25,000 HIPAA Fine for Clinical Laboratory
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 7th HIPAA violation penalty of 2021 with a $25,000 fine for Peachstate Health Management, LLC, dba AEON Clinical Laboratories.
Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services, mostly through its publicly traded parent company AEON Global Health Corporation (AGHC).
OCR received a breach report from the Department of Veteran Affairs (VA) on December 17, 2015 regarding an incident involving Authentidate Holding Corporation (AHC) that resulted in the exposure of unsecured electronic protected health information (ePHI).
AHC was a business associate of the VA that managed the VA’s Telehealth Services Program. An investigation was launched on August 31, 2016 to determine whether AHC was in compliance with the HIPAA Privacy and Security Rules and during that investigation, OCR learned that AHC acquired Peachstate on January 27, 2016. OCR then launched a HIPAA Privacy and Security Rule compliance review of Peachstate’s clinical laboratories.
OCR identified several areas of noncompliance with the HIPAA Security Rule. Peachstate was found to have violated 45 C.F.R. § 164.308(a)(1)(ii)(A) by failing to conduct a comprehensive, accurate, organization-wide risk analysis to assess risks to the confidentiality, integrity, and availability of ePHI.
45 C.F.R. § 164.308(a)(1)(ii)(B) was violated as security measures had not been implemented to reduce risks to ePHI to a reasonable and appropriate level, and Peachstate was in violation of 45 C.F. R. § 164.312(b) for failing to implement hardware, software, and procedural mechanisms to record and analyze activity in systems used in conduction with ePHI. There were no documented policies and procedures related to actions, activities, and assessments associated with audit controls, as required by 45 C.F.R. § 164.316(b).
“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”
In addition to the $25,000 penalty, Peachstate must comply with a robust corrective action plan to address all areas of noncompliance with the HIPAA Security Rule. OCR will closely monitor Peachstate to ensure compliance with the corrective action plan for a period of 3 years.