The Risks of HIPAA Non-Compliance Can Survive – and Even Grow – Post Closing

Mintz - Health Care Viewpoints
Contact

Mintz - Health Care Viewpoints

A recent settlement agreement between a clinical laboratory and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve potential HIPAA Security Rule violations proves to be a cautionary tale for covered health care providers everywhere. There are two key lessons to note. First, a monetary penalty or fine may the least financially burdensome consequence of HIPAA non-compliance, because corrective action plans (CAPs) can be extremely costly. Second, in the context of a health care transaction, such as a merger or acquisition, non-compliance by one party to the transaction can prompt enforcement against the other party and even that party’s future business partners. This is the case even if the non-compliance preceded closing.

On January 7, 2015, the U.S. Department of Veteran Affairs (VA) reported a breach of unsecured protected health information (PHI) involving its Telehealth Services Program. This program was managed by the VA’s business associate, Authentidate Holding Corporation (AHC). Consequently, on August 31, 2016, OCR began to review AHC’s compliance with the HIPAA Privacy and Security Rules related to the breach. During its review, OCR discovered that AHC had acquired Peachstate Health Management, Inc., d/b/a/ AEON Clinical Laboratories (Peachstate), through a reverse merger on January 27, 2016. Notably, this merger occurred one whole year after the VA had reported the initial breach of PHI. Despite the fact that the breach had occurred prior to the merger, OCR also initiated a compliance review of Peachstate to determine whether its clinical laboratories were in compliance with the Privacy and Security Rules. OCR identified various potential violations of the Security Rule, including failures to complete a security risk analysis, implement security measures and mechanisms to reduce the risk of a breach, and maintain policies and procedures that comply with HIPAA’s Security Rule.

Peachstate agreed to pay an amount of $25,000 to settle the potential violations, a relatively meager amount considering the size of the compliance gap identified and the lack of a security risk assessment, an essential aspect of maintaining Security Rule compliance. However, this amount is a mere drop in the bucket in comparison to the cost of the CAP Peachstate has agreed to implement. Peachstate and OCR entered into a three year resolution agreement involving an aggressive correction plan with close monitoring by the OCR. The CAP requires Peachstate to:

  • Conduct an enterprise-wide risk analysis
  • Develop and implement a risk management plan
  • Develop policies and procedures designed for HIPAA Security Rule compliance
  • Distribute the aforementioned policies and procedures
  • Develop training materials for the workforce
  • Designate an independent monitor
  • Submit implementation reports, non-compliance reports, and annual reports

The CAP includes OCR monitoring and requires OCR approval of all CAP requirements on very tight timelines. If OCR requires revisions to any compliance measure, Peachstate must revise and resubmit to OCR within 30 days. OCR will be constantly monitoring Peachstate for the next three years until Peachstate consistently demonstrates Security Rule compliance. Furthermore, CAP costs will easily exceed the $25,000 penalty. For example, the costs of hiring a qualified independent monitor alone will quickly exceed the penalty, especially given the fact that OCR must approve the designated monitor, so Peachstate must secure a qualified expert.

An additional and crucial takeaway from this settlement is the depth to which OCR dives when investigating an allegation of HIPAA non-compliance. In this instance, OCR was investigating another party’s breach yet Peachstate was not even involved with that party or any of the activities that resulted in the breach. Peachstate only became involved after merging with a business partner of the breaching party. OCR’s inquiry was ongoing post-closing and eventually led to Peachstate identifying the non-compliance that will haunt Peachstate for the next three years. This enforcement sends a warning signal to regulated entities and parties to health care transactions. The risks of HIPAA non-compliance not only survive closing, but they can also arise post-closing and affect future business partners.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Health Care Viewpoints | Attorney Advertising

Written by:

Mintz - Health Care Viewpoints
Contact
more
less

Mintz - Health Care Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.