December 2024 was an active month for the U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"). OCR announced (i) a $1.19 million civil monetary penalty ("CMP") against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute ("GCPC"); (ii) $548,265 civil CMP against Children's Hospital Colorado ("CHC"); and (iii) a $250,000 settlement with Inmediata Health Group, LLC ("Inmediata"), a health care clearinghouse, following OCR's receipt of a complaint that HIPAA protected health information was accessible to search engines.
In November 2024, OCR imposed a $100,000 penalty against a mental health center due to its failure to provide timely access to patient records. This was OCR's 51st HIPAA Right of Access enforcement action.
What You Need to Know:
- CMPs remain a viable tool for OCR to enforce HIPAA violations.
- HIPAA Security Rule enforcement (in addition to the Privacy Rule) is a focus of OCR.
- HIPAA-covered entities and business associates must maintain HIPAA Security Rule and Privacy Rule compliance.
GCPC CMP
OCR initiated its investigation following the receipt of a breach report that a former GCPC contractor had impermissibly accessed its electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR's investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
OCR's investigation revealed four violations of the HIPAA Security Rule by GCPC, including the failure to:
- conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
- implement procedures to regularly review records of activity in information systems;
- implement procedures to terminate former workforce members' access to ePHI; and
- implement procedures for establishing and modifying workforce members' access to information systems.
In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. GCPC waived its right to a hearing and did not contest OCR's findings. A copy of the OCR final determination can be reviewed here.
CHC CMP
The CHC CMP is the result of an OCR investigation following breaches resulting from cyberattacks in 2017 and 2020 against CHC which compromised the PHI of over 14,000 individuals. The first breach, involving a single email account, was caused by disabled multi-factor authentication, compromising the data of 3,370 individuals. The second breach, which involved three email accounts, affected 10,840 individuals, and resulted from workforce members allowing unauthorized third parties to access their accounts.
OCR's investigation into the breaches identified the following violations of the HIPAA Privacy and Security Rules:
- Failure to conduct a comprehensive risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and
- Failure to train workforce members on HIPAA Privacy Rule requirements.
In June 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Children's Hospital Colorado waived its right to a hearing and did not contest OCR's findings. A copy of the OCR final determination is located here.
OCR's Recommendations to Healthcare Providers
As a part of the HHS OCR press releases announcing the civil monetary penalties imposed upon Gulf Coast Pain Consultants and Children's Hospital, OCR recommends that healthcare providers and other parties take the following steps to mitigate or prevent cyber threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members' critical role in protecting privacy and security.
- Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
Inmediata Settlement
Inmediata is a health care clearinghouse. In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR's investigation, Inmediata provided a breach notification to HHS and affected individuals. OCR determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI that was disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information.
In addition to potential HIPAA Privacy Rule violations, OCR noted multiple potential HIPAA Security Rule violations including: failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems' activity.
Importantly, the Inmediata settlement did not include a corrective action plan ("CAP") which usually occurs as a result of an OCR settlement. OCR noted a CAP was not needed in this instance because Inmediata had previously agreed to a settlement with 33 states that includes corrective actions that address OCR's findings in this matter.
The Inmediata resolution agreement may be found here.
It is not yet known if the 2nd Trump Administration will be aggressive in enforcing alleged HIPAA violations by entering into settlements or proceeding with CMPs. Regardless, covered entities should maintain HIPAA compliance for the Privacy Rule and the Security Rule and monitor enforcement activity by OCR.
