By Marianne Kolbasuk McGee

December 6, 2024    

Source: Bank Info. Security

Photo / Image Source: Unsplash,

Gulf Coast Incident

The pain management practice investigation centered on a former independent business consultant who was under contract. The contractor was accused of accessing the practice's electronic health records containing patients' protected health information to commit alleged Medicare claims fraud.

HHS OCR said Gulf Coast reported that the contractor was retained in May 2018 to provide business consulting services and stopped providing those services in August 2018.

But in February 2019, Gulf Coast discovered the former contractor continued to access the practice's electronic medical records without authorization on three occasions to retrieve patients' protected health information for use in potential fraudulent Medicare claims. Upon the discovery, Gulf Coast terminated the contractor's access to its systems.

The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information and primary care information.

The former contractor, who was not named by HHS OCR, was later indicted for generating 6,500 false Medicare claims for services that were not rendered. He was ultimately found not guilty.

"Current and former workforce can present threats to healthcare privacy and security - risking continuity of care and trust in our healthcare system," said Melanie Fontes Rainer, HHS OCR director in a statement.

"Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents."

OCR investigation into the Gulf Coast incident found the practice committed four HIPAA security rule violations including failure to conduct an accurate and thorough risk analysis; failure to implement procedures to regularly review records of activity in information systems; failure to implement procedures for terminating former workforce members’ access to ePHI; and failure to implement procedures for establishing and modifying workforce members’ access to information systems.

HHS OCR issued a notice of proposed determination in August informing Gulf Coast that the agency would impose a civil monetary penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. HHS OCR issued its notice of final determination to Gulf Coast in September.

Gulf Coast did not immediately respond to Information Security Media Group's request for comment on HHS OCR's enforcement action against the practice.

How can such practices impact your health? How Why?

Share the wealth of health with your friends and family by sharing this article with 3 people today.

If this article was helpful to you, donate to the Shidonna Raven Garden and Cook E-Magazine Today. Thank you in advance.