A recent settlement agreement between a clinical laboratory and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve potential HIPAA Security Rule violations proves to be a cautionary tale for covered health care providers everywhere. There are two key lessons to note. First, a monetary penalty or fine may be the least financially burdensome consequence of HIPAA non-compliance because corrective action plans (CAPs) can be extremely costly. Second, in the context of a health care transaction, such as a merger or acquisition, non-compliance by one party to the transaction can prompt enforcement against the other party and even that party’s future business partners. This is the case even if the non-compliance preceded closing.
On January 7, 2015, the U.S. Department of Veteran Affairs (VA) reported a breach of unsecured protected health information (PHI) involving its Telehealth Services Program. This program was managed by the VA’s business associate, Authentidate Holding Corporation (AHC). Consequently, on August 31, 2016, OCR began to review AHC’s compliance with the HIPAA Privacy and Security Rules related to the breach. During its review, OCR discovered that AHC had acquired Peachstate Health Management, Inc., d/b/a/ AEON Clinical Laboratories (Peachstate), through a reverse merger on January 27, 2016. Notably, this merger occurred one whole year after the VA had reported the initial breach of PHI. Despite the fact that the breach had occurred prior to the merger, OCR also initiated a compliance review of Peachstate to determine whether its clinical laboratories were in compliance with the Privacy and Security Rules. OCR identified various potential violations of the Security Rule, including failures to complete a security risk analysis, implement security measures and mechanisms to reduce the risk of a breach, and maintain policies and procedures that comply with HIPAA’s Security Rule.
Peachstate agreed to pay an amount of $25,000 to settle the potential violations, a relatively meager amount considering the size of the compliance gap identified and the lack of a security risk assessment, an essential aspect of maintaining Security Rule compliance. However, this amount is a mere drop in the bucket in comparison to the cost of the CAP Peachstate has agreed to implement. Peachstate and OCR entered into a three year resolution agreement involving an aggressive correction plan with close monitoring by the OCR. The CAP requires Peachstate to:
- Conduct an enterprise-wide risk analysis
- Develop and implement a risk management plan
- Develop policies and procedures designed for HIPAA Security Rule compliance
- Distribute the aforementioned policies and procedures
- Develop training materials for the workforce
- Designate an independent monitor
- Submit implementation reports, non-compliance reports, and annual reports
The CAP includes OCR monitoring and requires OCR approval of all CAP requirements on very tight timelines. If OCR requires revisions to any compliance measure, Peachstate must revise and resubmit to OCR within 30 days. OCR will be constantly monitoring Peachstate for the next three years until Peachstate consistently demonstrates Security Rule compliance. Furthermore, CAP costs will easily exceed the $25,000 penalty. For example, the costs of hiring a qualified independent monitor alone will quickly exceed the penalty, especially given the fact that OCR must approve the designated monitor, so Peachstate must secure a qualified expert.
An additional and crucial takeaway from this settlement is the depth to which OCR dives when investigating an allegation of HIPAA non-compliance. In this instance, OCR was investigating another party’s breach yet Peachstate was not even involved with that party or any of the activities that resulted in the breach. Peachstate only became involved after merging with a business partner of the breaching party. OCR’s inquiry was ongoing post-closing and eventually led to Peachstate identifying the non-compliance that will haunt Peachstate for the next three years. This enforcement sends a warning signal to regulated entities and parties to health care transactions. The risks of HIPAA non-compliance not only survive closing, but they can also arise post-closing and affect future business partners.