WANAN YOSSINGKUM/istock via Gett

OCR Settles with AEON Clinical for $25K Over Multiple HIPAA Failures

Peachstate Health, d/b/a AEON Clinical, will pay OCR $25,000 for possible HIPAA failures, following an audit into a 2015 data breach of the VA telehealth program managed by the business associate.

Peachstate Health Management, doing business as AEON Clinical Laboratories, has settled with the Department of Health and Human Services Office for Civil Rights for $25,000 and agreed to a corrective action plan, to resolve potential violations of the HIPAA Security Rule.

The Georgia-based business associate is certified under the Clinical Laboratory Improvement Amendments (CLIA) and provides diagnostic and laboratory-developed tests.

It's only the second OCR settlement of 2021 from a security rule failure, rather than HIPAA Right of Access violation. In January, Excellus Health Plan paid OCR $5.1 million to resolve potential HIPAA violations after patient data breach in 2015.

The settlement stems from a January 2015 security incident reported to OCR by the Department of Veterans Affairs. At the time, the VA’s Telehealth Service Program was managed by business associate Authentidate Holding Corporation (AHC).

The breach, which impacted 7,000 veterans, was caused by a flaw in the vendor’s system. The investigation determined the impacted information was only exposed to vendor and VA staff. The data included names, dates of birth, contact details, and patient identification numbers.

The incident was reported to OCR, which launched a review into AHC on August 31, 2016 to determine compliance with the HIPAA privacy and security rules. During that time, it was determined AHC acquired Peachstate in January 16, prompting OCR to launch a compliance review of the clinical lab.

The Peachstate review uncovered multiple, potential HIPAA violations, including failure to conduct a thorough and accurate risk assessment of the confidentiality, integrity, and availability of electronic protected health information contained in its systems.

OCR also found that Peachstate lacked implemented security measures able to reduce the risks and vulnerabilities to the ePHI within a reasonable and appropriate level, which would have been determined with a risk analysis or assessment.

The audit determined the vendor had not implemented necessary monitoring hardware, software, or procedural mechanisms to record and examine activities within its IT systems that interact with ePHI.

Lastly, OCR found Peachstate did not maintain policies and procedures to comply with HIPAA’s mandate to record and maintain documentation of security actions, assessments, and activities of its security program.

“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule,”  said Acting OCR Director Robinsue Frohboese, in a statement. “The failure to implement basic security rule requirements makes HIPAA-regulated entities attractive targets for malicious activity and needlessly risks patients’ electronic health information.”

“This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information,” she added.

In addition to the monetary penalty, Peachstate will enter into a corrective action plan with OCR that includes three years of monitoring. Notably, CAPs commonly include just two years of monitoring.

The CAP requires the vendor to conduct the HIPAA-required enterprise risk analysis of all security threats and vulnerabilities to ePHI created, received, maintained, and transmitted by Peachstate, including its workstations, electronic media, and IT systems.

The results must be forward to HHS for approval or any required revisions. The review must be conducted annually and updated in response to environmental or operational changes that would impact ePHI security.

Peachstate must also develop and implement a risk management plan based on the result of its risk assessment, in addition to assigning an individual or entity to monitor and review the vendor’s compliance with the CAP.

The CAP also requires the vendor to develop, maintain, and revise its security policies and procedures in compliance with the HIPAA Security Rule, which will then be distributed to all applicable workforce members. Employees will also need to be annually trained on these measures.

Next Steps

Dig Deeper on HIPAA compliance and regulation