Today, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC, operating as Clearway Pain Solutions Institute in Florida. This penalty comes in response to violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule following a breach report indicating that a former contractor had improperly accessed their electronic records system.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which outline the requirements that health plans, healthcare clearinghouses, most healthcare providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to safeguard the confidentiality, integrity, and security of electronic PHI (ePHI) through administrative, physical, and technical safeguards.

“Current and former workforce members can pose significant threats to healthcare privacy and security, jeopardizing the continuity of care and trust in our healthcare system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule require proactive measures to monitor access to health information and respond swiftly to suspected security incidents.”

The investigation was initiated after Gulf Coast Pain Consultants reported that a former contractor had unlawfully accessed their electronic medical record system to obtain PHI for potential fraudulent Medicare claims. OCR’s investigation revealed that the unauthorized access occurred on three occasions, impacting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR identified four violations of the HIPAA Security Rule by Gulf Coast Pain Consultants:

  • Failure to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to ePHI.
  • Failure to implement procedures for regularly reviewing records of information system activity.
  • Failure to implement procedures for terminating former workforce members’ access to ePHI.
  • Failure to implement procedures for establishing and modifying workforce members’ access to information systems.

In August 2024, OCR issued a Notice of Proposed Determination to impose a civil money penalty. Gulf Coast Pain Consultants waived their right to a hearing and did not contest OCR’s findings, resulting in the imposition of a $1,190,000 penalty.

The Notice of Proposed Determination can be found here.

The Notice of Final Determination can be found here.

OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA take the following steps to mitigate or prevent cyber threats:

  • Integrate risk analysis and risk management into business processes.
  • Regularly review information system activity.
  • Implement procedures for terminating access to ePHI when a workforce member’s employment or arrangement ends.
  • Establish and modify user access rights to workstations, transactions, programs, or processes, or implement equivalent measures.

Create Your HIPAA Security Policies