July 31, 2021

Volume XI, Number 212

Advertisement

July 30, 2021

Subscribe to Latest Legal News and Analysis

July 29, 2021

Subscribe to Latest Legal News and Analysis

July 28, 2021

Subscribe to Latest Legal News and Analysis

HHS Reaches Settlement with Clinical Laboratory for Alleged Violations of HIPAA Security Rule

On May 25, 2021, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Peachstate Health Management, LLC (“Peachstate”) for violations of the HIPAA Security Rule. As part of this settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay OCR $25,000 and to implement a robust corrective action plan.

Peachstate, which is based in Georgia, provides diagnostic and laboratory-developed tests, including clinical and genetic testing services. In December 2017, OCR began a compliance review of Peachstate to determine the company’s compliance with the HIPAA Privacy and Security Rules. This review found that Peachstate engaged in systemic noncompliance with the HIPAA Security Rule, including failures to (1) conduct an enterprise-wide risk analysis; (2) implement risk management and audit controls; and (3) maintain documentation of HIPAA Security Rule policies and procedures.

As part of the corrective action program, which includes three years of monitoring, Peachstate agreed to a number of conditions, including (1) conducting an enterprise-wide risk analysis; (2) developing and implementing a risk management plan; (3) revising the company’s written policies and procedures to comply with federal standards; (4) distributing these policies and procedures to all members of the company’s workforce; and (5) maintaining all documents and records related to compliance with the corrective action plan for six years.

According to Acting OCR Director Robinsue Frohboese, “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information[.]”

Read the Resolution Agreement.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 152
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement