Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search

Contact Us

Log in
Forgot password

HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations

3 Dec 2024 9:58 AM | Zachary Edgar (Administrator)

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

OCR initiated an investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor had impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:

  • conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
  • implement procedures to regularly review records of activity in information systems;
  • implement procedures to terminate former workforce members’ access to ePHI; and
  • implement procedures for establishing and modifying workforce members’ access to information systems.

In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber threats:

  • Integrate risk analysis and risk management into business processes.
  • Implement regular review of information system activity.
  • Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
  • Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.

OCR regularly provides guidance and information to the health care industry to support data privacy and security. Recent resources include:

Reference

HIPAA News Releases & Bulletins


About Me

Zachary Edgar JD, LLM is Therapy Comply's managing partner.  Zachary is a healthcare attorney who specializes in federal and state healthcare regulatory issues particularly for physical, occupational, and speech therapy practices.  

Learn More 

Join Today

Join today as a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Social Media


Powered by Wild Apricot Membership Software