The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has charged Gulf Coast Pain Consultants, LLC with a $1.19 million civil monetary penalty for failing to block ex-employee members’ access to systems that contain electronic protected health information (ePHI) and for violating other HIPAA Security Rules.
Pain management practice Gulf Coast Pain Consultants, LLC, also referred to as Clearway Pain Solutions Institute, has centers located in Alabama, Delaware, Florida, New Jersey, Maryland, and Pennsylvania. The company hired an independent contractor for one year starting on May 3, 2018 as its business consulting services provider. The contract was supposed to end on April 30, 2019 but the contractor discontinued providing Gulf Coast Pain Consultants with its services in August 2018.
Coast Pain Consultants found out on February 20, 2019 that the independent contractor accessed its EHR system three times from September 7, 2018, to February 3, 2019, without authorization. The contractor accessed the ePHI of approximately 34,310 people, including their names, telephone numbers, addresses, email addresses, birth dates, chart numbers, insurance data, primary care data, and Social Security numbers.
Gulf Coast Pain Consultants discovered later about 6,500 false Medicare claims for services that were not delivered by the contractor. The consultant was charged for those false claims but was not pronounced guilty. One day after discovering the unauthorized access, Gulf Coast Pain Consultants blocked the former contractor from accessing its systems. The healthcare provider submitted a data breach report to OCR on April 5, 2019.
OCR started an investigation to evaluate Gulf Coast Pain Consultants’ compliance with the HIPAA Rules and discovered that the practice conducted a HIPAA-compliant risk analysis for the first time on September 30, 2022. Gulf Coast Pain Consultants did not enforce guidelines and procedures for routinely checking activity in IT systems that contain ePHI, which indicated the contractor had accessed electronic health records on several instances. HIPAA-compliant guidelines and procedures for checking logs were not enforced until April 10, 2020, that is about 9 months after OCR advised Gulf Coast Pain Consultants that it would be under HIPAA compliance investigation.
OCR decided that guidelines and procedures for stopping ex-workforce members’ access to ePHI were first enforced on April 10, 2020. The guidelines and procedures for creating, documenting, examining, and changing users’ right of access to data systems that contain ePHI were not enforced before the breach. Implementation started on April 15, 2020.
Gulf Coast Pain Consultants was confirmed to have never complied with the HIPAA Security Rule’s 45 C.F.R. § 164.308(a)(ii)(A), §164.308(a)(1)(ii)(D), §164.308(a)(3)(ii)(c), and §164.308(a)(4)(ii)(c). Gulf Coast Pain Consultants was informed about the results of the investigation and was given a chance to resolve the problem informally. However, the two parties were unable to reach an informal agreement. Gulf Coast Pain Consultants presented proof of mitigating factors, but OCR confirmed that they failed to show a waiver of a civil monetary penalty and enforced a $1.19 million financial penalty.
This is OCR’s 14th HIPAA enforcement action with an issuance of financial penalty in 2024. This is also OCR’s 6th civil monetary penalty in 2024 involving HIPAA rules noncompliance.
Present and past employees can become threats to healthcare privacy and security that lead to endangering the continuity of patient care and confidence in our healthcare program. Efficient cybersecurity and HIPAA Security Rule compliance means taking action to review who could access health data and respond immediately to suspected security threats.