OCR issues $1.19M HIPAA penalty against Florida provider

The HHS Office for Civil Rights imposed a $1.19 million HIPAA penalty against Florida-based Gulf Coast Pain Consultants over a data breach that affected more than 34,000 individuals.

The breach occurred when a former contractor impermissibly accessed Gulf Coast's EMR system three separate times in an effort to obtain protected health information (PHI) and submit fraudulent Medicare claims.

The former contractor, who was under a one-year contract with Gulf Coast for business consulting services, successfully generated 6,500 false Medicare claims and was later indicted and found not guilty.

Gulf Coast filed a breach report with the Office for Civil Rights in April 2019. In June 2019, OCR launched an investigation into the breach report and Gulf Coast's compliance with HIPAA. The investigation revealed that Gulf Coast had not conducted a thorough risk analysis prior to the breach.

What's more, the investigation revealed that Gulf Coast had failed to implement termination procedures to comply with HIPAA's requirement to remove access to PHI when employment ends. OCR also alleged that Gulf Coast had failed to implement policies to regularly review information system activity containing PHI, and to document and modify a user's right of access to a workstation, program or process.

OCR held Gulf Coast liable for a $1.19 million civil money penalty due to its violation of four HIPAA Security Rule provisions.

"Current and former workforce can present threats to health care privacy and security -- risking continuity of care and trust in our health care system," said OCR Director Melanie Fontes Rainer.

"Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents."

OCR encouraged HIPAA-covered entities to continue mitigating cyber threats by implementing risk analyses, proper termination procedures and other HIPAA provisions.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.