Clinical Laboratory Agrees to Settlement with HHS for Potential HIPAA Security Rule Violations Despite Not Being Involved in Data Breach

King & Spalding

On May 25, 2021, HHS announced that Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), agreed to a $25,000 settlement and adoption of a comprehensive Corrective Action Plan for potential violations of the HIPAA Security Rule. Peachstate is a CLIA-certified laboratory that provides diagnostic and laboratory tests, including clinical and genetic testing. HHS initiated a HIPAA compliance review of Peachstate following a data breach involving Peachstate’s affiliate. Peachstate ultimately settled with HHS despite not being involved with the data breach that prompted the compliance review.

A data breach of unsecured PHI by Peachstate’s merger-partner, Authentidate Holding Corporation (AHC), triggered the Peachstate compliance review. On January 7, 2015, the Department of Veteran Affairs reported a data breach involving a telehealth services program managed by its business associate, AHC. On August 31, 2016, HHS initiated a compliance review of AHC to determine its compliance with the HIPAA Privacy and Security Rules related to the data breach. During the compliance review of AHC, HHS learned that AHC and Peachstate entered into a “reverse merger” in January 2016, whereby AHC acquired Peachstate. HHS then decided to conduct a review of Peachstate’s laboratories to assess their compliance with the HIPAA Privacy and Security Rules.

During the compliance review, HHS “found systemic noncompliance with the HIPAA Security Rule” and determined that Peachstate failed to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI;

  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level identified in its risk analysis or assessment;

  • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI; and

  • Maintain documentation of policies and procedures to comply with the HIPAA Security Rule standards.

As a result of the compliance review, Peachstate agreed to a $25,000 monetary settlement and to adopt a comprehensive three-year Corrective Action Plan, which includes:

  • Conducting an enterprise-wide risk analysis;

  • Reviewing and revising written policies and procedures, subject to HHS review and approval;

  • Distributing the HHS-approved written policies and procedures to its workforce;

  • Providing HIPAA training for each workforce member who has access to PHI; and

  • Designating an individual or entity to monitor and review the entity's compliance with the Corrective Action Plan.

Peachstate did not admit to liability under the settlement terms. The HHS Resolution Agreement and Corrective Action Plan are available here.

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide