February 3, 2023

Volume XIII, Number 34


February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

The Risks of HIPAA Non-Compliance Can Survive – and Even Grow – Post Closing

A recent settlement agreement between a clinical laboratory and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve potential HIPAA Security Rule violations proves to be a cautionary tale for covered health care providers everywhere. There are two key lessons to note. First, a monetary penalty or fine may the least financially burdensome consequence of HIPAA non-compliance, because corrective action plans (CAPs) can be extremely costly. Second, in the context of a health care transaction, such as a merger or acquisition, non-compliance by one party to the transaction can prompt enforcement against the other party and even that party’s future business partners. This is the case even if the non-compliance preceded closing.

On January 7, 2015, the U.S. Department of Veteran Affairs (VA) reported a breach of unsecured protected health information (PHI) involving its Telehealth Services Program. This program was managed by the VA’s business associate, Authentidate Holding Corporation (AHC). Consequently, on August 31, 2016, OCR began to review AHC’s compliance with the HIPAA Privacy and Security Rules related to the breach. During its review, OCR discovered that AHC had acquired Peachstate Health Management, Inc., d/b/a/ AEON Clinical Laboratories (Peachstate), through a reverse merger on January 27, 2016. Notably, this merger occurred one whole year after the VA had reported the initial breach of PHI. Despite the fact that the breach had occurred prior to the merger, OCR also initiated a compliance review of Peachstate to determine whether its clinical laboratories were in compliance with the Privacy and Security Rules. OCR identified various potential violations of the Security Rule, including failures to complete a security risk analysis, implement security measures and mechanisms to reduce the risk of a breach, and maintain policies and procedures that comply with HIPAA’s Security Rule.

Peachstate agreed to pay an amount of $25,000 to settle the potential violations, a relatively meager amount considering the size of the compliance gap identified and the lack of a security risk assessment, an essential aspect of maintaining Security Rule compliance. However, this amount is a mere drop in the bucket in comparison to the cost of the CAP Peachstate has agreed to implement. Peachstate and OCR entered into a three year resolution agreement involving an aggressive correction plan with close monitoring by the OCR. The CAP requires Peachstate to:

  • Conduct an enterprise-wide risk analysis

  • Develop and implement a risk management plan

  • Develop policies and procedures designed for HIPAA Security Rule compliance

  • Distribute the aforementioned policies and procedures

  • Develop training materials for the workforce

  • Designate an independent monitor

  • Submit implementation reports, non-compliance reports, and annual reports

The CAP includes OCR monitoring and requires OCR approval of all CAP requirements on very tight timelines. If OCR requires revisions to any compliance measure, Peachstate must revise and resubmit to OCR within 30 days. OCR will be constantly monitoring Peachstate for the next three years until Peachstate consistently demonstrates Security Rule compliance. Furthermore, CAP costs will easily exceed the $25,000 penalty. For example, the costs of hiring a qualified independent monitor alone will quickly exceed the penalty, especially given the fact that OCR must approve the designated monitor, so Peachstate must secure a qualified expert.

An additional and crucial takeaway from this settlement is the depth to which OCR dives when investigating an allegation of HIPAA non-compliance. In this instance, OCR was investigating another party’s breach yet Peachstate was not even involved with that party or any of the activities that resulted in the breach. Peachstate only became involved after merging with a business partner of the breaching party. OCR’s inquiry was ongoing post-closing and eventually led to Peachstate identifying the non-compliance that will haunt Peachstate for the next three years. This enforcement sends a warning signal to regulated entities and parties to health care transactions. The risks of HIPAA non-compliance not only survive closing, but they can also arise post-closing and affect future business partners.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 154

About this Author

Dianne Borque, Health Care, licensure, risk management, attorney, Mintz
Of Counsel

Dianne advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care. As former in-house counsel to an academic medical center, a large part of her practice involves counseling researchers and research sponsors in matters related to FDA and OHRP regulated clinical research, including patient consent, access to and use of tissue and associated patient information, and the Institutional Review Board process. In addition, Dianne currently serves as a Vice Chair of AHLA's...

(617) 348-1614

Stephnie focuses her practice on health law matters, including regulatory compliance issues, fraud and abuse allegations, reimbursement issues, and investigations.

Prior to joining Mintz, Stephnie was an attorney advisor at the Office of General Counsel of the DC Department of Health Care Finance. Stephnie provided DC’s Medicaid agency with legal and compliance counsel and defended it in administrative proceedings, such as provider appeals of Medicaid payment suspensions based on allegations of fraud and pharmacy overpayment recoupments identified by state Medicaid audit. During the...