The $1.19 million Health Insurance Portability and Accountability Act (“HIPAA”) penalty imposed on a Florida pain clinic this week sends a clear warning to health plans, health care providers, healthcare clearinghouses and their business associates (“Covered Entities”) to take adequate, documented steps to ensure the defensibility of their own safeguards and other compliance with the HIPAA Security Rule including those from their own current and former workers and service providers.
HIPAA Security Rule
The HIPAA Privacy, Security, and Breach Notification Rules require health plans, health car clearinghouses, and most health care providers, and their business associates (“Covered Entities”) to meet requirements to protect the privacy and security of protected health information (“PHI”). The HIPAA Security Rule included in these rules requires Covered Entities to conduct and maintain documented risk assessments to prove their efforts to comply with detailed national administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (“ePHI”).
Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:
- A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
- A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
- A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
- Aminimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation3 for violations after November 2, 2015.
Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines.
Additionally HIPAA breaches also may expose Covered Entities and their leaders to potential liability for breach liability under securities, electronic crimes, and other data breach and security laws; Federal Sentencing Guideline and other liability for misappropriation of funds, health care or other fraud and other crimes enabled by inadequate compliance or response; trigger fiduciary and other duties and liabilities under the Employee Retirement Income Security Act of 1974 (“ERISA”) for those acting as named or functional fiduciaries; I create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.
New $1.19 Million Settlement
The $1.19 million penalty against Pain Clinic for Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast Pain Consultants”) announced December 4, 2024 by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shows how quickly a Covered Entity found in violation of these rules can rack up substantial civil monetary penalties. Although specifically involving a health care provider, health plans are exposed to the same risks.
The Gulf Coast Pain Management civil monetary penalty arose from OCR’s finding of “systematic” HIPAA Security Rule violations while investigating a breach report that a former contractor for the company impermissibly accessed their electronic record system.
OCR initiated the investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims.
OCR’s investigation revealed the breach was accomplished by a business consultant independent contractor hired to provide business consulting in 2018, whose contract was terminated prematurely a several months later before the end of the contract term.
After the contract terminated, Gulf Coast did not immediately terminate the former contractor’s system access.
Months later on February 20, 2019, Gulf Coast discovered that on three occasions, between September 7, 2018, and February 3, 2019, the Contractor impermissibly used its access to Gulf Coast’s electronic medical record (“EMR”) system to access the ePHI of approximately 34,310 individuals. On February 21, 2019, Gulf Coast terminated the independent contractor’s access to its systems.
It was later discovered that the Contractor generated medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. The Contractor was indicted under 18 U.S.C. §1347 and §1028(a)(1) and was ultimately found not guilty.
On April 5, 2019, Gulf Coast filed a breach report with OCR concerning this incident. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
Based on the investigation, OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
- Implement procedures to regularly review records of activity in information systems;
- Implement procedures to terminate former workforce members’ access to ePHI; and
- Implement procedures for establishing and modifying workforce members’ access to information systems.
As often happens, the investigation and other processes leading to the settlement were protracted and expensive.
More than four years after the breach and its report, OCR issued a Notice of Proposed Determination in August 2024 seeking to impose a civil money penalty. After Gulf Coast waived its right to a hearing and did not contest OCR’s findings, OCR issued its Notice of Final Determination imposing the $1,190,000 civil money penalty.
Take Aways
Aside from demonstrating the significant penalties that Covered Entities can face for failing to satisfy HIPAA, the settlement also highlights the need for health plans, their fiduciaries, service providers and other HiIPAA_regulated entities to manage data security threats from contractors and other current and former service providers with access to ePHI and other Security Rule compliance.
“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer in its announcement of the penalty. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”
OCR recommends that Covered Entities take a number of steps to mitigate or prevent cyber threats including
- Integrate risk analysis and risk management into business processes.
- Implement regular review of information system activity.
- Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
- Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.
- A multitude of other risk assessment and mitigation actions required in response to existing and emerging threats arising from time to time as identified and evaluated pursuant to the ongoing conduct of documented risk assessments required by the Security Rule.
Because the Employee Benefit Security Administration views ensuring proper data security and HIPAA compliance an ERISA fiduciary responsibility and includes cybersecurity in its ERISA compliance audits, health plan fiduciaries also face breach of fiduciary duty and other exposures under ERISA.
The author of this update, Cynthia Marcotte Stamer has worked extensively with health plans and insurers, their sponsors and fiduciaries on covered entities and business associates on HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA or other compliance, risk management, or other concerns, contact her.
For More Information
We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Authok
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..
Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.
As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.
In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.
slphrbenefitsupdate.com 