HIPAA Compliance News

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims.

Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments.

In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims.

The San Diego Sheriff’s’ Department had initiated a traffic stop on Konrad Piekos for driving without a license plate. When police officers approached the vehicle, they saw an assault rifle in plain sight in his vehicle. Piekos admitted possessing an unregistered assault rifle, and the subsequent vehicle search revealed several loaded firearms and ammunition. A warrant was obtained to search Piekos’ properties and police officers found several other firearms and ammunition, quantities of heroin and fentanyl, and mobile phones. After obtaining warrants to search the phones, detectives identified text messages between Piekos, Genetti, and Lombardo discussing the illicit distribution of narcotics, firearms, and a scheme to obtain unemployment benefits using other persons’ personal identifying information (PII).

Piekos and Genetti had conspired together to fraudulently obtain PUA benefits in July 2020, with Lombardo joining the scheme in August 2020. Lombardo is alleged to have used his position as a patient financial service representative to access patients’ PII, which he then distributed to Piekos, Genetti, and Milosavljevic starting on August 15,2020, according to the indictment. Scripps Health terminated Lombardo on April 14, 2021.

In a separate case, Genetti and three other defendants – Lindsay Renee Henning, Garrett Carl Tuggle, and Salvatore Compilati – were charged with conspiracy to commit wire fraud. Henning and Tuggle were also charged with aggravated identity theft, and Henning, Tuggle, and a fourth defendant, Juan Landon, were charged with possession of methamphetamine, cocaine, and heroin with intent to distribute. The defendants had submitted more than 108 separate claims for PUB benefits, totaling $1,615,000.

Lombardo faces a maximum jail term of 10 years in prison for the HIPAA violation along with a fine and penalty assessment. The conspiracy to commit wire fraud charges carry a maximum jail term of 20 years in prison with a fine and penalty assessment, and there is a mandatory minimum 2-year jail term for the aggravated identity theft charges, with the aggravated identity theft jail term consecutive to any other sentences.

“Pandemic unemployment insurance programs are a critical part of our safety net designed to support hardworking citizens who are suffering during an unprecedented economic downturn,” said Acting U.S. Attorney Randy Grossman. “Our office and our law enforcement partners will investigate and prosecute individuals who attempt to steal from these programs designed to assist deserving recipients.”

The post Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case appeared first on HIPAA Journal.

Webinar Today July 8, 2021: All Your HIPAA Questions Answered

In recent years, the Department of Health and Human Services’ Office for Civil Rights has issued guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules and how they apply in certain situations. Even with this guidance, there is still considerable confusion around HIPAA and how the HIPAA Privacy, Security, and Breach Notification Rules and the Omnibus Rule HIPAA updates apply to covered entities and their business associates.

All HIPAA covered entities and business associates must ensure they are compliant with all appropriate provisions of the HIPAA Rules and there are severe penalties for noncompliance. Over the past few years, OCR has stepped up enforcement and regularly imposes financial penalties on covered entities and business associates that are discovered not to have complied with the provisions of HIPAA.

OCR investigates breaches of protected health information, and they are now being reported at record rates. In 2010, the first full year after OCR started publishing summaries of healthcare data breaches on its website, there were 199 reported healthcare data breaches of 500 or more records. In 2020, there were 642 reported breaches… a rise of 222%. The first half of 2021 has just come to an end and there have already been 327 reported breaches this year. There is now a much greater chance of HIPAA violations being discovered. HIPAA compliance has never been more important.

HIPAA Journal regularly receives questions about HIPAA compliance and how the HIPAA Rules apply in certain situations. To help clear up confusion, HIPAA Journal has partnered with Compliancy Group, a leader in the compliance space that educates healthcare providers and their business associates and helps them become and remain HIPAA compliant.

On Thursday, July 8, 2021, you will have an opportunity to have your questions about HIPAA compliance answered in an interactive webinar.

Webinar Today: Thursday July 8, 2021: All Your HIPAA Questions Answered

| 2:00 p.m. ET | 1:00 p.m. CT | 12:00 p.m. MT |11:00 a.m. PT |

“Our goal is to help eliminate any HIPAA stress or concerns you may have. Get quick responses to your questions and gain confidence in compliance today.”

Use the form below to register for the webinar.

The post Webinar Today July 8, 2021: All Your HIPAA Questions Answered appeared first on HIPAA Journal.

No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has ruled that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to address improper disclosures of protected health information; however, the ruling suggests there is potentially a cause of action under the 14th amendment when an individual’s privacy is violated.

The case, Payne v. Taslimi, named Christopher N. Payne as plaintiff and Jahal Taslimi as the defendant. Payne was a Deep Meadow Correctional Center inmate and Taslimi a prison doctor. Payne took legal action against Taslimi over an alleged improper disclosure of his confidential medical information. Payne alleged Taslimi had approached his bed and stated in a voice loud enough for others to hear that the plaintiff had not taken his HIV medication. Payne alleged staff members, other inmates, and civilians had heard the doctor.

In the lawsuit, Payne claimed his medical records were confidential and his HIPAA rights had been violated at Deep Meadow Correctional Center by Taslimi, as well as his right to privacy under the 14th Amendment. The district court dismissed Payne’s claims, but the decision was appealed.

The Court of Appeals for the Fourth Circuit affirmed the decision of the district court and confirmed there was no private cause of action under HIPAA. The court also affirmed the decision of the district court to dismiss the claim of a violation of the 14th Amendment.

In the decision, the Court of Appeals said the violation of the 14th Amendment hinged on whether Payne had “a reasonable expectation of privacy” with regards to information about his HIV medications. Since Payne was a Deep Meadow Correctional Center prisoner, the court ruled that Payne lacked a reasonable expectation of privacy concerning his diagnosis and treatment plan, especially since the information was about a communicable disease.

The court ruled that the test in such cases is whether there is a compelling government interest that outweighs the plaintiff’s privacy interest. The ruling suggests there may be a cause of action under the 14th Amendment where there has been a disclosure of private medical information and no compelling government interest.

The post No Private Cause of Action Under HIPAA, but Possible Cause of Action for 14th Amendment Violation appeared first on HIPAA Journal.

Former Mayo Clinic Doctor Charged Over Improper Medical Record Access

In October 2020, Mayo Clinic announced a former employee was discovered to have impermissibly accessed the medical records of approximately 1,600 patients. According to a statement issued by the Mayo Clinic, the former employee viewed demographic information, date of birth, medical record number, clinical notes, and in some cases images. Mayo Clinic said its investigation uncovered no evidence to suggest any patient data was copied or retained. All affected patients were notified about the breach by mail.

The employee in question was Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, who was a doctor at Mayo Clinic. Alsughayer ended his employment with Mayo Clinic in August 2020, around the time that the privacy violation was discovered.

A criminal case has now been opened by the Olmsted County Attorney’s Office. Alsughayer has been charged with gross misdemeanor unauthorized computer access and has been scheduled to appear in court on July 8, 2021. The criminal case stems from allegations that Alsughayer had abused his access rights to view medical records when there was no need to do so to fulfil his role as a doctor and hospital employee. Alsughayer’s legal team filed a motion to dismiss the lawsuit on June 1, 2021 “”on the grounds that there does not exist probable cause to believe the defendant committed the offense(s) charged therein.”

Allegations had previously been made against Alsughayer in three lawsuits, the latest of which was filed against Alsughayer and Mayo Clinic on May 29, 2021. In December 2020, a female patient, named as K.M.M in the lawsuit, contacted Rochester police after receiving a breach notification letter from Mayo Clinic.

She had learned that her medical records had been accessed by a hospital worker, which included nude images that were taken on three separate occasions. After requesting to view her medical records, the woman discovered the dates of inappropriate access coincided with the dates that the images were taken. She alleged the hospital employee referred to in the breach notification letter had accessed her medical records specifically to view her nude images.

According to the lawsuit, the doctor “was at an off-campus, private location” when her medical records were accessed and “Alsughayer did not need photographic images of plaintiff’s breasts and genitals to do his job.” A court hearing has been scheduled in August.

In addition to that lawsuit, two class action lawsuits had already been filed in Olmsted County Court in connection to the breach. Amanda Bloxton-Kippola (MI) and Chelsea Turner (MN) are named as the plaintiffs in one of those lawsuits against Alsughayer and Mayo Clinic, with the second lawsuit naming Olga Ryabchuk (MN) as the plaintiff and John Doe and Mayo Clinic as defendants. One of the lawsuits alleges medical records accessed that included nude photographs taken by Mayo Clinic as part of the healthcare services provided. Both lawsuits have been scheduled for trial next year.

The post Former Mayo Clinic Doctor Charged Over Improper Medical Record Access appeared first on HIPAA Journal.

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend.

Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties.

Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so.

Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed.

Bacor took a photograph of a medical image that showed injuries sustained by her ex-boyfriend and sent the photo to a third party. The third party subsequently sent the image to other individuals via Facebook Messenger, including taunting language and emojis with the image. Bacor was also found to have stated in social media chats with another person that she was attempting to get primary custody of the two children she had with her ex-boyfriend.

After learning about the privacy breach, the ex-boyfriend filed a complaint with the hospital on October 4, 2017 alleging Bacor had accessed his medical records without authorization and provided the photo to the hospital. The hospital conducted an investigation into the privacy breach and confirmed Bacor had accessed his medical records on 10 occasions. Bacor was initially suspended, then fired for the HIPAA violation.

In August 2020, Bacor admitted to law enforcement officers that she had violated federal privacy laws in an attempt to protect her children. Bacor entered into a plea arrangement and pleaded guilty to one count of wrongfully obtaining individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams said Bacor had “weaponized” her ex-boyfriend’s private medical information by sending it to others and sentenced her to 5 months’ probation and fined her $1,000. Bacor has also been prohibited from working in any job that requires her to have access to the private medical records of others.

The post Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation appeared first on HIPAA Journal.

May 2021 Healthcare Data Breach Report

May was the worst month of 2021 to date for healthcare data breaches. There were 63 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in May. For the past three months, breaches have been reported at a rate of more than 2 per day. The average number of healthcare data breaches per month has now risen to 54.67.

U.S. Healthcare Data Breaches - Past 12 Months

May was also the worst month of the year in terms of the severity of breaches. 6,535,130 healthcare records were breached across those 63 incidents. The average number of breached healthcare records each month has now risen to 3,323,116. 17,733,372 healthcare records have now been exposed or impermissibly disclosed so far in 2021 and almost 40 million records (39.87M) have been breached in the past 12 months.

U.S. Healthcare Data Breaches - Records Breached in the Past 12 Months

Largest Healthcare Data Breaches Reported in April 2021

As was the case in April, there were 19 healthcare data breaches involving 10,000 or more records and 7 of those breaches involved 100,000 or more records. All but one of those breaches was a hacking incident or involved It systems being compromised by other means.

The largest healthcare data breach of the month by some distance affected 20/20 Eye Care Network, a vision and hearing benefits administrator. The records of more than 3.25 million individuals were stored in an AWS S3 bucket that was accessed by an unauthorized individual. Data was downloaded by the attacker before being deleted. Another benefits administrator, SEIU 775 Benefits Group, also suffered a breach in which sensitive data was deleted. That breach involved the PHI of 140,000 individuals.

Over the past two months, several healthcare providers have announced they were affected by a ransomware attack on the third-party administration service provider CaptureRx. At least 26 healthcare providers are known to have had PHI exposed in that breach. This month, CaptureRx issued its own notification to the HSS which confirms the breach affected 1,656,569 individuals. This month, several healthcare organizations have reported they have been affected by a ransomware attack on another business associate, Netgain Technologies. The table below shows the extent to which ransomware has been used in attacks on the healthcare industry.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause Business Associate Involvement
20/20 Eye Care Network, Inc Business Associate 3,253,822 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
NEC Networks, LLC d/b/a CaptureRx Business Associate 1,656,569 Hacking/IT Incident Ransomware attack Yes
Orthopedic Associates of Dutchess County Healthcare Provider 331,376 Hacking/IT Incident Ransomware attack No
Rehoboth McKinley Christian Health Care Services Healthcare Provider 207,195 Hacking/IT Incident Ransomware attack No
Five Rivers Health Centers Healthcare Provider 155,748 Hacking/IT Incident Phishing attack No
SEIU 775 Benefits Group Business Associate 140,000 Hacking/IT Incident Unspecified hacking incident Yes
San Diego Family Care Healthcare Provider 125,500 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Hoboken Radiology LLC Healthcare Provider 80,000 Hacking/IT Incident Hacked medical imaging server No
CareSouth Carolina, Inc. Healthcare Provider 76,035 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Arizona Asthma and Allergy Institute Healthcare Provider 70,372 Hacking/IT Incident Ransomware attack No
New England Dermatology, P.C. Healthcare Provider 58,106 Improper Disposal Improper disposal of specimen bottles No
Sturdy Memorial Hospital Healthcare Provider 57,379 Hacking/IT Incident Ransomware attack No
LogicGate Business Associate 47,035 Hacking/IT Incident Unsecured AWS S3 Bucket Yes
Lafourche Medical Group Healthcare Provider 34,862 Hacking/IT Incident Phishing attack No
Internal Medicine Associates of Jasper, PC, dba Prestige Medical Group Healthcare Provider 34,203 Hacking/IT Incident Ransomware attack No
SAC Health Systems Healthcare Provider 28,128 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Monadnock Community Hospital Healthcare Provider 14,340 Hacking/IT Incident Unspecified hacking incident Yes
Community Access Unlimited Business Associate 13,813 Hacking/IT Incident Ransomware attack (Netgain Technologies) Yes
Westwood Obstetrics and Gynecology Healthcare Provider 12,931 Hacking/IT Incident Unspecified hacking incident Yes

Causes of May 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in May. Out of the 63 reported breaches, 47 (74.60%) were hacking/IT incidents. These incidents resulted in the exposure or theft of 6,432,367 healthcare records – 98.43% of all records breached in the month. The average breach size was 131,273 records and the median breach size was 4,250 records.

There were 9 reported unauthorized access/disclosure incidents involving the records of 17,834 individuals. The average breach size was 1,982 records and the median breach size was 1,562 records. There were 3 loss/theft incidents reported involving the 20,325 records and two incidents involving the improper disposal of protected health information affecting 64,604 individuals.

May 2021 U.S. Healthcare Data Breaches - Causes

While phishing incidents have plagued the healthcare industry over the past few years, it is now network server incidents that dominate the breach reports. 41 of the month’s breaches involved compromised network servers, compared to just 9 incidents involving email.

May 2021 U.S. Healthcare Data Breaches- location of breached PHI

May 2021 Healthcare Data Breaches by Covered Entity Type

47 healthcare providers reported data breaches in May 2021, although only 20 of those incidents were breaches directly involving the healthcare provider. 27 of those breaches were reported by the healthcare provider but occurred at a business associate.

7 data breaches were reported to the HHS’ Office for Civil Rights by business associates of HIPAA-covered entities, although in total, the business associate was present in 31 of the month’s breaches.

8 breaches affected health plans, 4 of which had some business associate involvement, and one breach was reported by a healthcare clearinghouse.

May 2021 healthcare data breaches by covered entity type

States Affected by Healthcare Data Breaches

Healthcare data breaches were reported by HIPAA-covered entities and business associates based in 32 U.S. states.

State No. Reported Data Breaches
Texas 6
New York & Ohio 5
California, Illinois, West Virginia 4
Mississippi & Missouri 3
Florida, Maryland, Massachusetts, New Jersey, & Oklahoma 2
Arizona, Arkansas, Connecticut, Delaware, Georgia, Indiana, Louisiana, Maine, Minnesota, North Carolina, Nevada, New Hampshire, New Mexico, Pennsylvania, Rhode Island, South Carolina, Tennessee, Washington, and Wisconsin 1

HIPAA Enforcement in May 2021

There was one HIPAA enforcement action announced by the HHS’ Office for Civil Rights in May, bringing the total up to 8 for 2021. Most of the settlements announced so far in 2021 have resolved violations of the HIPAA Right of access; however, May’s settlement was for multiple violations of the HIPAA Security Rule.

Most financial penalties stem from an OCR investigation into a data breach or complaint from a patient. May’s financial penalty was atypical, as it was the result of a compliance investigation. OCR had investigated a data breach reported by the Department of Veteran Affairs involving its business associate Authentidate Holding Corporation (AHC).

That investigation was resolved without financial penalty; however, during the investigation OCR learned that AHC had entered into a reverse merger with Peachstate Health Management, LLC, a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR decided to conduct a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance and discovered multiple violations of the HIPAA Security Rule. OCR discovered potential violations related to risk assessments, risk management, audit controls, and a lack of documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000.

The post May 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Free Webinar Today 06/16/21: Social Media and HIPAA Compliance

Social media platforms such as Facebook, Twitter, Snapchat, and Instagram make it easy for healthcare organizations to advertise their services and win new business. Healthcare providers can use social media sites to communicate with patients, provide updates on their services, and engage patients and get them to take a more active role in their healthcare.

While there are many benefits that can come from social media in healthcare, many healthcare organizations rightly see social media networks as minefield of HIPAA violations. This is not only true for the corporate accounts of healthcare providers, but also the personal social media accounts of their employees.

An employee communicating on social media after a particularly difficult day could easily divulge information that could violate patient privacy. There have been many cases of healthcare employees communicating on social media networks, including private Facebook groups, and sharing sensitive information about patients in violation of the HIPAA Rules.

Virtually all healthcare employees have smartphones, and it is common for them to have social media apps on their devices that make it possible to instantly communicate with large numbers of people. It is no surprise that privacy violations on social media networks are now occurring more frequently than ever before.

Social media networks can certainly be used effectively by healthcare organizations, but there are many misunderstandings about how these platforms can be used in a HIPAA compliant manner. It is naturally important to specifically cover the use of social media platforms in training sessions for healthcare employees to make it clear to employees how HIPAA applies to social media networks and what is and is not allowed. Without training for the workforce, HIPAA-covered entities will face a high risk of regulatory fines and lawsuits.

To make it easier for you to train your employees and teach them how they can use social media networks responsibly in their professional and personal lives, HIPAA Journal has teamed up with Compliancy Group for a webinar where attendees will be provided with invaluable advice on social media and HIPAA compliance.

At the webinar you will learn how your practice and employees can use social media networks ethically without violating the HIPAA Rules and patient privacy, as you will discover how you can protect your practice from HIPAA violations.

By the end of the webinar you will have instructions on how to create effective policies covering the use of personal and corporate-owned mobile phones and social media in the office. You will also be provided with real life examples of some of the HIPAA breaches that have occurred as a result of improper social media usage to help ensure similar mistakes are not made by your practice and employees.

Webinar Details:

Social Media & HIPAA Compliance: Simple Ways to Protect Your Business

Date:     Wednesday June 16, 2021

Time:     2:00 pm ET / 11 am PT

The post Free Webinar Today 06/16/21: Social Media and HIPAA Compliance appeared first on HIPAA Journal.

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) that resolves a potential HIPAA Right of Access violation. This is the 8th financial penalty to be announced in 2021 to resolve violations of the HIPAA Rules, and the 19th settlement under OCR’s HIPAA Right of Access enforcement initiative that was launched in the fall of 2019.

DELC is a West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of protected health information in a timely manner. The HIPAA Privacy Rule requires a copy of an individual’s protected health information contained in a designated record set to be provided within 30 days of a request being received.

In this case, the complainant wanted a copy of her minor child’s protected health information and DELC had failed to provide those records within the allowed 30 days. OCR notified DELC on October 30, 2019 about the investigation into potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) over the alleged refusal to provide the patient’s mother with the records she requested.

OCR determined the failure to provide the requested records was in violation of the HIPAA Right of Access. As a result of OCR’s investigation, DELC finally provided the child’s mother with a copy of the requested records in May 2021, almost two years after the initial request had been made.

In addition to the financial penalty of $5,000, DELC has agreed to a corrective action plan that includes reviewing and updating policies and procedures for providing individuals with access to PHI and privacy training for the workforce on individual access to PHI. DELC will be monitored by OCR for 2 years to ensure compliance with the Right of Access provisions of the HIPAA Privacy Rule.

“It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records,” said Acting OCR Director Robinsue Frohboese.  “Covered entities owe it to their patients to provide timely access to medical records.”

The post Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Resolve HIPAA Right of Access Case appeared first on HIPAA Journal.

Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Peachstate Health Management, LLC, dba AEON Clinical Laboratories to result multiple violations of the HIPAA Security Rule.

Peachstate is a CLIA-certified laboratory that provides a range of services including clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR launched a compliance investigation on August 31, 2026 following a breach of unsecured protected health information reported by the U.S. Department of Veterans Affairs (VA) on January 7, 2015 involving its business associates, Authentidate Holding Corporation (AHC). The VA had contracted with AHC to manage the VA’s Telehealth Services Program. The aim of the OCR investigation was to assess whether the breach was the result of the failure to comply with the HIPAA Privacy and Security Rules.

During the course of the investigation, OCR learned that AHC had entered into a reverse merger with Peachstate on January 27, 2016 and had acquired Peachstate. OCR then conducted a compliance review of Peachstate’s clinical laboratories to assess Privacy and Security Rule compliance. During that investigation OCR identified multiple potential violations of the HIPAA Security Rule.

Peachstate was discovered not to have conducted an accurate and thorough assessment to identify risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by 45 C.F.R. § 164.308(a)(1)(ii)(A) and had failed to reduce risks and vulnerabilities to a reasonable and appropriate level by implementing appropriate security measures, as required by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and procedural mechanisms had not been implemented to record and examine activity in information systems containing or using ePHI, in violation of 45 C.F. R. § 164.312(b). Policies and procedures had not been implemented to record actions, activities, and assessments demanded by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate agreed to settle the case and pay a $25,000 penalty and will implement an extensive corrective action plan to address all areas of noncompliance identified by OCR during the course of the investigation. Peachstate will be closely monitored by OCR for 3 years to ensure compliance.

“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”

The post Clinical Laboratory Settles HIPAA Security Rule Violations with OCR for $25,000 appeared first on HIPAA Journal.