Pain Management Clinic Fined $1.19 Million for Alleged HIPAA Security Rule Violations

On December 3, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against a Florida-based pain management clinic for alleged violations of the HIPAA Security Rule. According to OCR’s Notice of Proposed Determination, a former contractor impermissibly accessed the electronic protected health information (ePHI) of approximately 34,310 individuals on three occasions over a nearly five-month period. The clinic, Gulf Coast Pain Consultants, LLC (Gulf Coast), as required under HIPAA, had filed a breach report with OCR after discovering the incident, which detailed that the compromised ePHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information. The contractor was indicted, but ultimately found not guilty, for generating approximately 6,500 false Medicare claims for services not actually rendered.

OCR found that Gulf Coast had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems. OCR also found that Gulf Coast had failed to implement the following protective procedures: (1) regularly reviewing records of activity in information systems, (2) terminating former workforce members’ access to ePHI, and (3) establishing and modifying workforce members’ access to information systems. Each of these failures amounted to a separate violation of the HIPAA Security Rule. In assessing an appropriate penalty for these violations, OCR took into account that, although its investigation found multiple long-standing Security Rule violations, Gulf Coast had responded to the technical assistance OCR provided during the investigation and did not contest OCR’s findings.

In its press release announcing the penalty, OCR reminded HIPAA-regulated entities of the threats to health care privacy and security posed by current and former workforce members. In the words of OCR Director Melanie Fontes Rainer, “[e]ffective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.” OCR also underscored, consistent with the HIPAA Security Rule, the importance of taking specific steps to mitigate or prevent cyber threats, including integrating risk analysis and risk management into business processes.

In addition to mitigating harm caused by gaps in information security, cooperation with government authorities investigating a security breach can significantly affect the enforcement penalties imposed by such authorities, as OCR’s consideration of Gulf Coast’s cooperation in this case underscores. Like OCR, state attorneys general and other enforcement authorities have repeatedly demonstrated their general appreciation for transparency and assistance from entities under investigation, including in security breach investigations where identifying technical and administrative causes may require extensive forensic probing.

The authors of this Blog post and their colleagues in the Arnold & Porter Privacy, Cybersecurity & Data Strategy practice group are available to provide counsel on OCR’s actions in this area, enforcement brought by OCR and other regulators, and more broadly on privacy and security compliance.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.