Recently, Peachstate Health Management that was doing business as AEON Clinical Labs, settled for $25,000 with the Health & Human Service Department and agreed to a corrective action strategy to resolve possible HIPAA Security Rule violations.
The business associate, based in Georgia, is certified with the CLIA and offers lab-developed and diagnostic tests.
For 2021, it is only the 2nd OCR settlement from a security rule failure instead of violating HIPAA compliance Right of Access. Recently, Excellus Health Plan paid OCR over $5M to resolve possible HIPAA compliance violations after a 2015 patient data breach.
The settlement comes from a Jan. 2015 security situation reported to the OCR by the Department of Vet Affairs. At that time, the Department of Veteran’s Affairs Telehealth Service Plan was managed by Authentidate Holding Corporation.
The breach, which affected 7,000 vets, was caused by a flaw within the vendor’s system. Their investigation determined the affected details were just exposed to VA staff and vendors. The information included dates of birth, names, contact information, and patient ID numbers.
Wait, before we go further, let’s explore more about that breach that impacted 7,000 vets.
HIPAA Compliance breach: VA Healthcare Breach of Data Exposes Details on 7,000 Vets
The VA experienced another breach of healthcare data when it announced recently that around 7,000 vets’ details were possibly exposed after a flaw with a contractor’s database.
According to Federal News Radio, the Department of Veteran’s Affairs was alerted to the incident and stated that it was caused by a possible flaw in a specific vendor’s system. The Department of Veteran’s Affairs told the news media that the vendor planned to offer home telehealth services to vets. Over 790,000 vets allegedly took advantage of the plan in 2014.
An investigation was instantly initiated then security scans were performed by the Department of Veteran’s Affairs that confirmed the concern. The vendor assured the department that only VA staff and vendor staff had accessed the data. The security flaw within the vendor’s database was instantly corrected, and the department continuously monitors the application.
The information which was possibly exposed through the Web includes addresses, names, phone numbers, dates of birth, and department patient ID numbers. Vets who were potentially impacted were alerted by the department and were offered free credit protection services.
This is just the most recent in a lengthy line of cybersecurity problems for the department. Recently, they failed their yearly cybersecurity audit for the 16th time in a row. Complete results weren’t released, yet Stephen Warren, VA Chief Information Officer, introduced the audit outcome during a House Veterans Affairs Committee session. According to Warren, the effect was disappointing, particularly since substantial effort and time were placed into 2014.
Even so, auditors said to leaders of the VA that progress was made from the previous year. In 2013, the IG discovered 6,000 specific vulnerabilities in cybersecurity and made 35 different suggestions to close weaknesses. That year, the IG claimed the list of vulnerabilities was cut by 21%.
The cybersecurity action followed a GAO investigation that claimed that the department was lacking as far as cybersecurity is concerned. While the department acted to fix issues leading to a 2012 breach, the GAO reported that weaknesses identified on department workstations hadn’t been fixed in time. This might raise the risk that sensitive information, like vets’ personal details, may be compromised.
These security problems demonstrate why healthcare institutions mustn’t only sustain their own cybersecurity measures yet also make sure that all 3rd-party companies have existing safeguards in place. Creating BAA (business associate agreements) accounting for cybersecurity problems is essential and may assist in keeping all participants accountable if a healthcare data breach occurs. Also, the contract clarifies and limits how a business associate discloses and uses PHI (protected health information). Without clear business associate agreements, it may be more challenging to sustain patients’ privacy and mitigate a potential breach in healthcare data.
Now, let’s continue with the topic at hand.
VA Healthcare Breach reported to OCR
The above incident was reported to OCR that triggered a review into AHC in 2016 to determine HIPAA compliance with privacy and security rules. At that point, it was determined that AHC acquired Peachstate, prompting OCR to start a HIPAA compliance review of the medical lab.
The Peachstate evaluation unveiled several possible HIPAA compliance violations, including failure to perform an accurate and thorough risk assessment of the availability, integrity, and confidentiality of electronic protected health data contained inside its systems.
Peachstate lacked security measures
In addition, OCR discovered that Peachstate lacked implemented security steps to decrease the vulnerabilities and risks to the electronically protected health information within an appropriate and reasonable level, which would’ve been determined using a risk assessment or analysis.
The audit found that the vendor hadn’t used necessary monitoring software, hardware, or procedural mechanisms to examine and record activities inside its IT systems that engage with electronically protected health information.
Finally, OCR determined that Peachstate didn’t maintain procedures and policies that complied with HIPAA’s requirements to preserve and record documentation of security activities, assessments, and actions of its security plan.
Clinical labs, like additional covered health providers, have to comply with the HIPAA Security Rule. Not implementing security rule requirements makes HIPAA compliance-regulated entities appealing targets for malicious activity and needlessly risks individuals’ electronic health data.
The settlement reiterates OCR’s dedication to ensuring HIPAA compliance using rules protecting the security and privacy of PHI.
Peachstate entered into a corrective action plan
Besides the financial penalty, Peachstate will agree to a corrective action program with OCR, which involves three years of observance.
The CAP requires that the vendor perform the HIPAA compliance -required enterprise risk assessment of all security vulnerabilities and threats to ePHI received, created, transmitted, and maintained by Peachstate, including its IT systems, electronic media, and workstations.
The outcome has to be forward to HHS for any required revisions or approval. The assessment has to be performed on an annual basis and updated in reaction to operational or environmental changes that might impact electronic protected health information security.
In addition, CAP requires that the vendor revise, maintain, and develop its security procedures and policies in compliance with HIPAA’s Security Rule, which then will be distributed to every applicable member of the workforce. Staff members also will have to be trained annually on the measures.