Clinical Laboratory Resolves HIPAA Security Rule Violations with OCR By Paying $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) reported that it has reached a settlement with Peachstate Health Management, LLC, also called AEON Clinical Laboratories resulting from multiple HIPAA Security Rule violations.

Peachstate is a CLIA-approved laboratory that offers a variety of services which include clinical and genetic testing services by means of AEON Global Health Corporation (AGHC), its publicly traded parent company.

OCR began a compliance investigation on August 31, 2016 after the U.S. Department of Veterans Affairs (VA) reported a breach of unsecured protected health information (PHI) that involve its business associates, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had partnered with AHC to take care of the VA’s Telehealth Services Program. The goal of the OCR investigation was to evaluate if the breach was due to the failure to adhere to the HIPAA Privacy and Security Rules.

Throughout the course of the breach investigation, OCR found out that on January 27, 2016, AHC had entered into a reverse merger with Peachstate and had acquired ownership of Peachstate. OCR subsequently carried out a compliance audit of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In that investigation, OCR determined several likely HIPAA Security Rule violations.

Peachstate was found not to have done a correct and comprehensive evaluation to find risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was unable to lessen risks and vulnerabilities to a good and proper level by employing correct security steps, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

There were no software, hardware, or procedural mechanisms put in place to record and assess activity in information systems that contain or utilize ePHI, which violates 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been executed to document actions, activities, and evaluations mandated by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate decided to settle the case and pay a $25,000 penalty and will execute a thorough corrective action plan to address all facets of noncompliance discovered by OCR in the course of the investigation. Peachstate will be under 3 years of close monitoring by OCR to make sure of compliance.

Clinical laboratories, just like other covered health care providers, should adhere to the HIPAA Security Rule. The inability to implement fundamental Security Rule requirements makes HIPAA regulated entities appealing targets for malicious activity, and puts risks patients’ ePHI. This settlement demonstrates OCR’s dedication to making sure that entities comply with rules that safeguard the privacy and security of protected health information.