Why Clinical Lab HIPAA Settlement Is SignificantAgreement Includes Extensive Corrective Action Plan
This story has been updated with a statement from AEON.
A federal $25,000 HIPAA settlement with a clinical laboratory is significant because it calls for a wide-ranging corrective action plan. And the enforcement action is unusual because it's the result of a compliance review of a covered entity not directly tied to the data breach that triggered the investigation.
Under the settlement, Peachstate Health Management LLC, a Georgia-based clinical laboratory company, must implement comprehensive reforms of its HIPAA Security Rule compliance program and designate an independent entity to monitor that compliance for three years.
"The corrective action plan is extensive. … Requiring an independent monitor is rare in HIPAA settlement agreements," says regulatory attorney Paul Hales of the law firm Hales Law Group.
"The settlement payment is very small in light of the wide scope of Peachstate’s HIPAA violations described by OCR," he adds. "Despite the low settlement amount, the terms of the corrective action plan are strong and confirm OCR’s commitment to HIPAA enforcement."
Privacy attorney David Holtzman offers a similar assessment. "The breadth and the scope of Peachstate’s mitigation program made a part of the settlement is one of the most expansive in recent memory," he says.
"The indication is that OCR’s investigation found that the lab operator had not implemented basic measures required under the HIPAA Security Rule. This organization has a long road ahead under the terms of its three-year corrective action plan that will be overseen by an independent monitor."
The Department of Health and Human Services said its settlement with Peachstate Health Management, which does business as AEON Clinical Laboratories and is owned by AEON Global Health, stems from an Office for Civil Rights investigation into a breach reported in January 2015.
The breach was reported by the Department of Veterans Affairs as involving the VA’s telehealth services program managed by its business associate, Authentidate Holding Corp., or AHC.
HHS OCR says it initiated a compliance review of AHC in August 2016to determine its compliance with the HIPAA privacy and security rules related to the VA breach.
OCR says that during the compliance review, it learned that AHC and Peachstate had entered into a “reverse merger” in January 2016, under the tax-free exchange, a wholly owned subsidiary of AHC merged with Peachstate.
As a result of the merger, OCR says it opened a compliance review into the clinical laboratories of Peachstate to assess their compliance with the HIPAA rules.
OCR's compliance review of Peachstate found potential violations of a number of HIPAA provisions, including failure to:
- Conduct an accurate and thorough enterprisewide HIPAA security risk assessment;
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level as identified in its risk analysis;
- Implement hardware, software or procedural audit mechanisms that record and examine activity in information systems that contain or use electronic protected health information;
- Maintain documentation of policies and procedures to comply with the HIPAA Security Rule standards.
"Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule," said Robinsue Frohboese, acting OCR director.
"The failure to implement basic security rule requirements makes HIPAA-regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” she said.
HHS OCR did not disclose details about the VA breach that launched the agency's HIPAA investigation. HHS OCR also did not immediately respond to Information Security Media Group's request for additional information.
In addition to a financial settlement, OCR's resolution agreement with Peachstate includes a comprehensive corrective action plan that requires the organization to:
- Conduct an enterprisewide risk analysis;
- Develop and implement a security risk management plan;
- Develop, implement and distribute to its workforce written policies and procedures to comply with the HIPAA standards;
- Provide HIPAA training for each workforce member who has access to PHI;
- Designate an individual or entity to be a monitor to review the entity's compliance with the corrective action plan.
In a statement provided to ISMG, AEON Global says the company is "pleased this matter had come to an agreeable end with Peachstate's adoption of a corrective active plan designed to provide assurance of Peachstate's continued monitoring and securing of its ePHI duties."
Broad Enforcement Authority
The settlement with Peachstate illustrates OCR's "broad enforcement authority to initiate compliance reviews. … Legal risk exists for all entities that may be affiliated with an entity experiencing a breach," says privacy attorney Iliana Peters of the law firm Polsinelli.
"For example, OCR has settled cases involving parent companies of HIPAA-covered entities, and covered entity clients of business associates, and now we have this settlement involving an entity related to a business associate," she notes.
HIPAA compliance at related entities can become an enforcement issue for OCR, she adds.
"Due diligence related to data privacy and security, including HIPAA, as part of any merger or acquisition is crucial in our current environment," she says.
"Entities that do not have robust conversations with transaction targets about their data privacy and security posture, any security incidents experienced in recent history and any ongoing litigation or regulatory investigations related to privacy and security incidents cannot accurately assess the liability related to the transaction and may ultimately regret it."
The settlement with Peachstate is OCR's seventh HIPAA enforcement action so far in 2021. Five of the other settlements involved patients' rights to access their medical records (see: HHS Issues Another HIPAA 'Right of Access' Settlement).
OCR's largest settlement so far this year - $5.1 million - was announced in January with Excellus Health Plan. That settlement stemmed from a hacking incident reported in 2015 that affected 9.3 million individuals.