Clinical Laboratory Pays $25,000 to Settle HIPAA Security Rule Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it has gotten to a settlement with Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories due to a number of HIPAA Security Rule violations.

Peachstate is a CLIA-accredited laboratory that delivers a selection of services such as clinical and genetic testing solutions via AEON Global Health Corporation (AGHC), its publicly traded parent firm.

OCR started a compliance audit on August 31, 2016 right after the U.S. Department of Veterans Affairs (VA) filed a report about a breach of unsecured protected health information (PHI) involving its business associate, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had hired AHC to handle the VA’s Telehealth Services Program. The purpose of the OCR investigation was to evaluate whether or not the breach was caused by the inability to follow the HIPAA Privacy and Security Rules.

All through the breach investigation, OCR discovered that on January 27, 2016, AHC had signed a reverse merger with Peachstate and had obtained Peachstate. OCR afterward performed a compliance evaluation of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In the course of that investigation, OCR discovered a number of probable violations of the HIPAA Security Rule.

Peachstate was determined not to have performed an appropriate and complete review to determine risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was not able to lower risks and vulnerabilities to a sensible and ideal level by taking on proper security actions, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and step-by-step systems had not been used to report and check activity in information systems comprising or employing ePHI, violating 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been enforced to log actions, activities, and checks required by 45 C.F. R. § 164.312(b), which violates 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate consented to negotiate the case and make a $25,000 penalty payment and will carry out a comprehensive corrective action plan to deal with all aspects of non-compliance found by OCR while doing the investigation. Peachstate is going to be under close supervision by OCR for 3 years to make certain of compliance.

Clinical laboratories, similar to other covered health care companies, need to abide by the HIPAA Security Rule. Not implementing the essential Security Rule standards makes HIPAA governed entities interesting targets for malicious activity, and unnecessarily risks to patients’ ePHI. This settlement deal shows OCR’s determination to making certain that covered entities adhere to rules that secure the privacy and security of PHI.