On December 3, 2024, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) issued a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants d/b/a Clearway Pain Solutions in Florida regarding violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. An investigation proved that a former contractor had impermissibly accessed the electronic protected health information (“e-PHI”) of more than 34,300 individuals in the provider’s electronic record system.
Employer Action Items
- Review the Guidance: Review the HIPAA Privacy and Security Rules to assure familiarity and compliance.
- Assess the Status of Existing Business Associate Agreements: Review all Business Associate Agreements and confirm that they include an expiration date, and that the contract expressly provides that the business associate’s access to e-PHI concurrently expires upon termination of the business associate agreement.
- Develop and Implement Written Policies and Procedures Governing the Administration of e-PHI: Employers should also develop written privacy and security assuredness policies and procedures governing the administration of confidential and protected health information, including mitigation of related, interconnected, and arising security risks.
- Conduct a Through and Accurate Risk Assessment: As required under HIPAA, covered entities should perform risk management operations consistently and on a timely basis. Necessarily, this requires the performance of a Security Risk Analysis, both upon adoption of the covered entity’s adoption of its written policies and procedures, and thereafter, upon changes to their operational environment or upon the occurrence of certain breaches of e-PHI.
Summary
In May 2018, Gulf Coast Pain Consultants (a covered entity under HIPAA) hired an independent contractor, Gulf Coast EMR (a business associate under HIPAA), to provide consulting services from May 2018 through April 2019. However, Gulf Coast EMR ceased providing services effective August 2018, only 3 months into the year-long contract. In February 2019, Gulf Coast Pain Consultants discovered that Gulf Coast EMR had accessed e-PHI on three separate occasions between September 2018 and February 2019 – well past the premature termination of the contract in August 2018. It was later alleged that Gulf Coast EMR used that e-PHI to create roughly 6,500 false Medicare claims. They were later indicted on federal charges but were ultimately found not guilty.
In February 2019, Gulf Coast Pain Consultants discovered unauthorized access to the e-PHI and only then terminated the Gulf Coast EMR’s access to their systems. Following the discovery of the unauthorized access to their e-PHI, Gulf Coast Pain Consultants was required to perform breach notification operations consistent with HIPAA Breach Notification Rule, including notice to affected participants and notice to the Secretary of HHS. In April 2019, Gulf Coast Pain Consultants provided HHS with a breach notification addressing the incident and informing HHS about compromised e-PHI that included individuals’ names, addresses, phone numbers, email addresses, birth dates, social security numbers, chart numbers, and insurance and primary care information. In June 2019, the OCR opened an investigation into the breach and Gulf Coast Pain Consultants’ underlying compliance with the requirements of HIPAA. The investigation determined that Gulf Coast Pain Consultants had not conducted a thorough security risk analysis prior the breach.
OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to e-PHI in its systems;
- Implement procedures to review records of activity in information systems regularly;
- Implement procedures to terminate former workforce member’s access to e-PHI and;
- Implement procedures for establishing and modifying workforce members’ access to information systems.
In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast Pain Consultants waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.
Consistent with the HIPAA Security Rule, covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. This includes ensuring the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit. They must also identify and protect against anticipated threats to the security or integrity of the information, anticipated, impermissible use or disclosures, and ensure compliance in their workforce. Generally, this is performed by instituting the aforementioned administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.
When a covered entity utilizes a contractor or other non-workforce member to perform “business associate” services or activities, the Security Rule requires that the covered entity include certain information protections in a business associate agreement (“BAA”). The purpose of the BAA is to clearly outline the safeguards utilized to protect shared e-PHI, specifically, how the business associate may use or disclose any shared e-PHI and that a covered entity may not authorize any business associate to make any use or disclosure of e-PHI that would violate the security rule.
Gulf Coast Pain Consultants failed to implement proper security measures and failed to properly and fully terminate Gulf Coast EMR’s access to their e-PHI when their services ended in August 2018. Gulf Coast Pain Consultants also neglected to complete a security risk analysis to identify potential risks and vulnerabilities to their e-PHI and failed to review activity records in information systems. These and other failures culminated in the unauthorized access of 34,300 individuals’ e-PHI, which was ultimately utilized to create roughly 6,500 fraudulent Medicare claims. After the breach was identified, Gulf Coast Pain Consultants followed the proper notification procedures to HHS and implemented corrective measures in April 2020. Had Gulf Coast Pain Consultants adhered to the HIPAA Security Rule and implemented the appropriate security measures and administrative protocols, the breach could have ultimately been altogether avoided. Their failure to do so resulted in $1,190,000 in civil monetary penalties and countless hours of resources dedicated to the breach and remedying its negative outcomes.
Additional Resources
- Gulf Coast Pain Consultants Notice of Proposed Determination
- HHS Press Release from 12/03/2024
- HHS Security Rule Resources and Security Rule History
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
