25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Failure to Terminate Access Rights Results in $1.19 Million HIPAA Fine

Posted By on Dec 4, 2024

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $1.19 million civil monetary penalty on a Florida pain management practice for failing to terminate former workforce members’ access to systems containing electronic protected health information (ePHI) and other HIPAA Security Rule violations.

Gulf Coast Pain Consultants, LLC, doing business as Clearway Pain Solutions Institute, has locations in Alabama, Florida, Delaware, Maryland, New Jersey, and Pennsylvania. On May 3, 2018, an independent contractor was engaged to provide business consulting services for one year, and the contract was due to expire on April 30, 2019; however, the contractor stopped providing services to Gulf Coast Pain Consultants in August 2018.

On February 20, 2019, Gulf Coast Pain Consultants learned that the contractor had accessed its electronic medical record system on three occasions between September 7, 2018, and February 3, 2019, without authorization to do so, and accessed the electronic protected health information of around 34,310 individuals, including their names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

Gulf Coast Pain Consultants learned later that the contractor had generated around 6,500 false Medicare claims for services that were not rendered. The consultant was indicted for those false claims but was found not guilty. The day after unauthorized access was discovered, Gulf Coast Pain Consultants terminated the former contractor’s access to its systems, and on April 5, 2019, filed a breach report with OCR.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

OCR launched an investigation to assess whether Gulf Coast Pain Consultants was compliant with the HIPAA Rules and determined that the first time a HIPAA-compliant risk analysis was conducted was on September 30, 2022. Gulf Coast Pain Consultants had failed to implement policies and procedures for regularly reviewing activity in information systems containing ePHI, which meant the contractor was able to access electronic health records on multiple occasions. HIPAA-compliant policies and procedures for reviewing logs were not implemented until April 10, 2020, more than 9 months after OCR informed Gulf Coast Pain Consultants that it was launching an investigation to assess compliance with the HIPAA Rules.

OCR determined that policies and procedures for terminating former workforce members’ access to ePHI were first implemented on April 10, 2020, and policies and procedures for establishing, documenting, reviewing, and modifying users’ right of access to information systems containing ePHI had not been implemented prior to the breach, and were first implemented on April 15, 2020.

Gulf Coast Pain Consultants was determined to have failed to comply with 45 C.F.R. § 164.308(a)(ii)(A), §164.308(a)(1)(ii)(D), §164.308(a)(3)(ii)(c), and §164.308(a)(4)(ii)(c) of the HIPAA Security Rule. Gulf Coast Pain Consultants was notified of the findings of the investigation and was provided with an opportunity to settle the matter informally; however, an informal agreement could not be agreed by both parties. Gulf Coast Pain Consultants provided evidence of mitigating factors; however, OCR determined that they did not support a waiver of a civil monetary penalty and imposed a financial penalty of $1.19 million.

This is the 14th HIPAA enforcement action of 2024 to result in a financial penalty and OCR’s 6th civil monetary penalty of the year to resolve noncompliance with the HIPAA Rules.

OCR Penalties for HIPAA Violations (2017-2024)

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist