On May 25, 2021, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Peachstate Health Management, LLC (“Peachstate”) for violations of the HIPAA Security Rule. As part of this settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay OCR $25,000 and to implement a robust corrective action plan.

Peachstate, which is based in Georgia, provides diagnostic and laboratory-developed tests, including clinical and genetic testing services. In December 2017, OCR began a compliance review of Peachstate to determine the company’s compliance with the HIPAA Privacy and Security Rules. This review found that Peachstate engaged in systemic noncompliance with the HIPAA Security Rule, including failures to (1) conduct an enterprise-wide risk analysis; (2) implement risk management and audit controls; and (3) maintain documentation of HIPAA Security Rule policies and procedures.

As part of the corrective action program, which includes three years of monitoring, Peachstate agreed to a number of conditions, including (1) conducting an enterprise-wide risk analysis; (2) developing and implementing a risk management plan; (3) revising the company’s written policies and procedures to comply with federal standards; (4) distributing these policies and procedures to all members of the company’s workforce; and (5) maintaining all documents and records related to compliance with the corrective action plan for six years.

According to Acting OCR Director Robinsue Frohboese, “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information[.]”

Read the Resolution Agreement.