HHS Imposes $1.19 Million Fine for Reported HIPAA Breach

On December 4^th, 2024, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that it had imposed a $1.19 million civil money penalty (CMP) against a Florida pain management clinic (the “Clinic”) in relation to a HIPAA breach. The breach was caused by a former contractor that had impermissibly accessed the Clinic’s electronic medical record system to exfiltrate personal health information (PHI) for use in potential fraudulent Medicare claims. The HIPAA breach lasted for a six-month period before discovery, from August 2018 to February 2019, and involved the PHI of over 34,000 individuals.

OCR’s investigation of the incident revealed that the Clinic’s practices violated several HIPAA rules and subjected the Clinic to a relatively large CMP in comparison to other recently imposed fines—including for breaches affecting larger numbers of individuals. Although the fines issued for HIPAA breaches and violations over the past several years have been somewhat modest, the CMP issued in this case demonstrates OCR’s willingness and ability to impose significant penalties where governed organizations neglect their obligations with respect to their patients’ data.

OCR identified four HIPAA Security Rule violations that formed the basis for the imposition of CMPs:

1. Failure to Conduct Risk Assessment: The Clinic did not perform a thorough and accurate risk assessment to identify, evaluate, and address the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it stored until September 30, 2022. This failure is particularly significant now, given HHS’ recent notice of proposed rulemaking that seeks to substantially increase governed entities obligations with respect to risk assessments and vulnerability testing.
2. Failure to Implement System Activity Review Procedures: The Clinic failed to implement procedures to regularly review records of information system activity review, such as audit logs, access reports, and security incident tracking reports until April of 2020.
3. Insufficient Termination Procedures: The Clinic failed to implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ended.
4. Failure to Implement or Maintain User Access Procedures. The Clinic failed to implement policies and procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process until April 2020.  

To avoid similar penalties, OCR recommends that covered entities, which include healthcare providers, health plans, and clearing houses, as well as their business associates that are covered by HIPAA, implement the following policies and procedures to mitigate or prevent cyber threats:

1. Integrate risk assessment policies and procedures into regular business processes.
2. Implement regular reviews of information system activities to detect unauthorized access, threats or vulnerabilities.
3. Maintain and adhere to procedures for terminating access to ePHI when a workforce member’s employment or contract ends.
4. Implement policies and procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.

Additionally, stakeholders are advised to stay informed with respect to guidance and information regularly published by OCR regarding measures that entities may implement to improve and ensure their compliance with HIPAA data privacy and security standards.

How Frier Levitt Can Help

This incident underscores the importance of covered entities maintaining and adhering to adequate privacy and security polices in accordance with HIPAA, including managing and regularly auditing external user access to records and conducting appropriate, timely risk assessments. Covered entities are also advised to seek appropriate indemnification obligations from their business associate consultants to aid in offsetting certain costs and expenses incurred by the covered entity as a result of the business associate’s act or omission.

Contact Frier Levitt for assistance evaluating a potential breach, developing or updating HIPAA compliance plans, and remaining apprised of relevant updates and changes to HIPAA.