Peachstate Health Management, doing business as AEON Clinical Laboratories, is a Georgia-based clinical lab that provides diagnostic and laboratory-developed tests. The lab has recently reached a resolution agreement with the Department of Health and Human Rights Office of Civil Rights ( OCR ) to resolve potential HIPAA violations.
Why was Peachstate Health Management investigated?
The Peachstate investigation stemmed from a January 2015 security breach that was reported by the Department of Veteran Affairs (VA). The VA had a business associate, Authentidate Holding Corporation (AHC), that was managing its telehealth services program. AHC's network system had a flaw that was breached and led to over 7,000 veterans' personal data exposed to unauthorized users. OCR launched a review into AHC about possible HIPAA violations in August 2016. During this review, OCR noticed that AHC had acquired Peachstate. This led to OCR conducting a review of the clinical lab's compliance with HIPAA as well.
What did the review reveal?
OCR's Peachstate compliance review found that it was not compliant with HIPAA. There were multiple violations concerning security around protected health information (PHI). The violations included:
- Not conducting HIPAA risk assessments of its network systems
- Not implementing risk management and audit controls
- Not creating or maintaining documentation of HIPAA policies and procedures
“Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”
SEE ALSO: The Complete Guide to HIPAA Violations
What is the Peachstate Health Management resolution agreement?
Peachstate has agreed to pay a $25,000 fine to settle the case. It will also enter into a corrective action plan to address and fix the security issues identified by the OCR. The execution of the corrective action plan will be monitored for the next 3 years by the OCR. The resolution agreement and corrective action plan can be viewed in full by clicking here.
Take the necessary steps to secure your emails
Even if the PHI stored in your network doesn't get breached, the OCR can still issue violations for not taking the necessary action to protect PHI. Proactively pursuing HIPAA compliance will prevent spending money on fines and participating in lengthy corrective action plans.
Sending HIPAA compliant email is critical for healthcare organizations. An effective safeguard is email encryption because only the intended recipient can access an email. That's where Paubox Email Suite comes in. It seamlessly integrates with your current email provider (like Google Workspace or Microsoft 365 ) and uses blanket TLS email encryption to send emails directly to your patients' inbox. Paubox is an easy and secure way to send valuable data in emails while staying HIPAA compliant.