The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on December 3 that it imposed a $1.19 million penalty on Gulf Coast Pain Consultants, a pain management practice in Florida, following a security breach that affected over 34,000 individuals.
Gulf Coast filed a breach notification report with OCR, as required under HIPAA, after a former contractor accessed the practice’s electronic health records (EHR) system without authorization. OCR’s investigation found that the former contractor intended to obtain protected health information (PHI) for use in potential fraudulent Medicare claims. The information of approximately 34,310 patients was accessed during three separate occasions, including the patients’ names, addresses, phone numbers, emails, dates of birth, social security numbers and insurance information.
OCR concluded that Gulf Coast failed to comply with the HIPAA Security Rule which requires, among other things: (i) conducting thorough risk assessments to determine potential risk and vulnerabilities of the practice’s EHR system; (ii) implementing procedures to regularly review records of activity in the system; (iii) implementing procedures to terminate a workforce member’s access to the system when he or she ceases to be employed or engaged by the practice; and (iv) implementing procedures for establishing and modifying workforce members’ access to the system.1 Taking such steps could have mitigated the risk of the security breach that occurred.
In its press release, OCR reminded all healthcare providers that workforce members may present a real threat to the privacy and security of patient information, and that providers need to be proactive in monitoring who accesses their patient information and responding quickly when unauthorized access is suspected.
