HHS reaches agreement with clinical laboratory over suspected violations of the HIPAA safety rule
On May 25, 2021, the Office for Civil Rights (“OCR”) of the US Department of Health (“HHS”) announced that it had reached an agreement with Peachstate Health Management, LLC (“Peachstate”) for violating the HIPAA safety rule . As part of that settlement, Peachstate (dba AEON Clinical Laboratories) agreed to pay $ 25,000 in OCR and put in place a solid corrective action plan.
Georgia-based Peachstate provides diagnostic and laboratory-developed testing, including clinical and genetic testing services. In December 2017, OCR began a compliance review of Peachstate to determine whether the company was complying with HIPAA privacy and security regulations. This review revealed that Peachstate had committed systemic violations of the HIPAA security rule, including failure to (1) conduct an enterprise-wide risk assessment; (2) implementation of risk management and audit controls; and (3) maintain documentation of the policies and procedures of the HIPAA security rules.
As part of the corrective action program, which includes three years of monitoring, Peachstate agreed to a number of conditions including (1) performing an enterprise-wide risk analysis; (2) development and implementation of a risk management plan; (3) Revise the Company’s written policies and procedures to comply with federal standards; (4) distribute these policies and procedures to all company employees; and (5) keep all documents and records related to compliance with the corrective action plan for six years.
According to incumbent OCR director Robinsue Frohboese, “Clinical laboratories, like other insured healthcare providers, must adhere to the HIPAA safety rule. Failure to implement basic requirements for safety rules makes HIPAA regulated entities attractive targets for malicious activity and unnecessarily risking patient electronic health information[.]”
Read the termination agreement.