“The past is never dead. It’s not even past.” (Faulkner, “Requiem for a Nun” 73).
In early December of 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty (CMP) against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants, or Gulf Coast) for HIPAA Security Rule violations – most HIPAA workforce access violations. CMP details are provided below.
HIPAA Workforce Access Violations: It’s That Contractor
Gulf Coast is a pain management medical practice, whose 126 employees work up and down the mid-Atlantic and east coast – in Alabama, Florida, Delaware, Maryland, New Jersey, and Pennsylvania.
In May of 2018, Gulf Coat hired an independent contractor to provide business consulting services. The contract for this engagement was to last for one year – from May 8, 2018 to April 30, 2019. The contractor stopped providing services in August of 2018.
In late February of 2019, Gulf Coast discovered that between early September of 2018 and early February of 2019, the contractor had impermissibly accessed Gulf Coast’s electronic medical record (EMR) system and accessed the electronic protected health information (ePHI) of approximately 34,310 individuals.
Gulf Coast later discovered that the contractor was still performing work – just not the work bargained for. The contractor had used the ePHI to generate medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. (The contractor was indicted and was ultimately found not guilty.)
HIPAA Workforce Access Violations: A Failure to Communicate
Gulf Coast, upon discovering the extracurricular activities, terminated the contractor’s access to its systems. In April of 2019, Gulf Coast, as required by the HIPAA breach notification rule, filed a breach report with OCR. Gulf Coast noted in its report that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information – information any aspiring would-be fraudster would be happy to get their (cyber) hands on.
OCR investigated the incident. Upon concluding the investigation OCR found that Gulf Coast did not conduct a thorough and accurate risk analysis as required by 45 C.F.R. § 164.308(a)(ii)(A) prior to the breach incident. (Gulf Coast did not conduct a security risk analysis that complies with the HIPAA Security Rule until September 30, 2022.)
OCR also concluded that:
1. Gulf Coast had not implemented policies and procedures to regularly review records of information system activity containing ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(D) prior to the breach incident. Gulf Coast did not implement a compliant policy until April 10, 2020.
2. Prior to the breach incident, Gulf Coast did not implement termination procedures to comply with 45 C.F.R. §164.308(a)(3)(ii)(c) that would include removing access to ePHI for workforce members who had separated from Gulf Coast (e.g., when the employment of, or other arrangement with, a workforce member ends). Gulf Coast did not implement a compliant policy until April 10, 2020.
3. Prior to the breach incident, Gulf Coast did not implement policies and procedures to comply with 45 C.F.R. §164.308(a)(4)(ii)(c) that establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process. Gulf Coast did not implement a compliant policy to address HIPAA workforce access violations until April 15, 2020.
HIPAA Workforce Access Violations: Stalemate
On January 23, 2024, OCR notified Gulf Coast of OCR’s investigation results, including the above identified violations of the Security Rule, and offered Gulf Coast an opportunity to resolve the matter informally.
The parties were not able to resolve this matter informally.
In August of 2024, OCR then issued a Notice of Proposed Determination to impose a CMP to Gulf Coast, noting the CMP basis, and proposing a $1.4 million CMP.
Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000, via a Notice of Final Determination sent to Gulf Coast in September of 2024.
HIPAA Workforce Access Violations: Cheaper by the Dozen (Months)
In its Notice of Final Determination, OCR noted that it had marked down the proposed CMP by 15% (1.4 million to 1.19 million). Why? Per the Notice of Final Determination:
“On July 2, 2024, OCR provided Gulf Coast with an opportunity to adequately demonstrate that it had recognized security practices (RSPs) in place for the previous 12 months. On July 26, 2024, Gulf Coast responded to OCR’s request. Upon examination of Gulf Coast’s responsive materials, OCR determined that Gulf Coast’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 2(c)(15) of the National Institute of Standards and Technology Act. Therefore, OCR applied a reduction to the CMP based on Gulf Coast’s sufficient implementation of RSPs.
HIPAA Workforce Access Violations: The (Painful) Takeaway
In a press release announcing the CMP (the sixth of calendar year 2024), OCR Director Melania Fontes Rainer noted, “Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system.” “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”
