HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations

Systemic HIPAA Security Rule violations lead to OCR’s 6^th penalty of the year

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

OCR initiated an investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor had impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:

• conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
• implement procedures to regularly review records of activity in information systems;
• implement procedures to terminate former workforce members’ access to ePHI; and
• implement procedures for establishing and modifying workforce members’ access to information systems.

In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber threats:

• Integrate risk analysis and risk management into business processes.
• Implement regular review of information system activity.
• Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
• Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.

OCR regularly provides guidance and information to the health care industry to support data privacy and security. Recent resources include:

• Cybersecurity Newsletter on Social Engineering
• Video on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English
• OCR Webinar on The HIPAA Security Rule Risk Analysis Requirement
• HIPAA Security Rule Guidance Materials

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.