In April 2019, DataBreaches reported that Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute had recently notified patients after discovering on February 20 that their EMR system had been accessed by a third party without authorization. At the time, they disclosed that 35,000 patients had been affected but they did not indicate that the third party was a former contractor.
Today, HHS OCR announced it has hit them with a $1.19 million monetary penalty for security rule violations:
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).
“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”
OCR initiated an investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor had impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:
- conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
- implement procedures to regularly review records of activity in information systems;
- implement procedures to terminate former workforce members’ access to ePHI; and
- implement procedures for establishing and modifying workforce members’ access to information systems.
In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.
The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html
The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html
OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber threats:
- Integrate risk analysis and risk management into business processes.
- Implement regular review of information system activity.
- Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
- Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.
Source: HHS OCR