On May 25, 2021, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with a clinical laboratory for noncompliance with the HIPAA Security Rule. Peachstate Health Management, Inc. d/b/a AEON Clinical Laboratories (Peachstate) is a CLIA-certified laboratory that provides clinical and genetic testing services. It is regulated as a covered entity under HIPAA. Pursuant to its settlement with OCR, Peachstate agreed to pay $25,000 and enter into a three-year Corrective Action Plan.
The OCR settlement with Peachstate originated from a breach reported to OCR by the U.S. Department of Veterans Affairs (VA) in January 2015. That breach involved a business associate of the VA, Authentidate Holding Corporation (AHC). During its 2016 compliance review of AHC, OCR determined that AHC acquired Peachstate and, in December, 2017, initiated a compliance review of Peachstate. The passage of more than six years from the initial breach report to the settlement with Peachstate illustrates the time that it can take for an investigation to be resolved, particularly if there are multiple entities involved.
While investigating Peachstate, OCR found “systemic noncompliance” with the HIPAA Security Rule. In particular, OCR determined that Peachstate failed to conduct an accurate and thorough enterprise-wide security risk assessment, that it failed to implement measures to reduce security risks and vulnerabilities, that it did not implement mechanisms to record and examine information system activity, and that it failed to enact Security Rule policies and procedures.
While the financial settlement of $25,000 is not a very high amount relative to many of OCR’s enforcement actions, most Corrective Action Plans end after two years, rather than the three years required for Peachstate. In addition, OCR requires Peachstate to hire an independent monitor with HIPAA compliance expertise to review Peachstate’s compliance with the Corrective Action Plan and to assist Peachstate with its Security Rule compliance, which also is not a standard requirement for OCR settlements. These serve as important reminders to covered entities and business associates that the financial aspect of an OCR settlement should never be viewed as the only “expense” resulting from HIPAA enforcement. Entities that have put into place a cursory HIPAA compliance program, or who are not conducting periodic and comprehensive security risk assessments or otherwise updating HIPAA compliance when necessary should understand that ongoing compliance efforts and expenses may be significantly more manageable than those resulting from an OCR enforcement action or settlement.