Gulf Coast Pain Consultants Notice of Proposed Determination

U.S. Department of Health and Human Services
Office for Civil Rights, Southeast Region
Atlanta Federal Center, Suite 16T70
61 Forsyth Street, S.W.
Atlanta, GA 30303
Voice – (800) 368-1019
TDD – (800) 537-7697
Fax – (202) 619-3818
http://www.hhs.gov/ocr

Via Personal Service

August 14, 2024

Ira Kornbluth, President
Clearway Pain Solutions
201 Defense Highway, Ste. 205
Annapolis, MD 21401

Re:      Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast)
            OCR Transaction Number: 19-339057

Notice of Proposed Determination

Dear Dr. Kornbluth:

Pursuant to the authority delegated by the Secretary of the United States Department of Health and Human Services (“HHS”) to the Office for Civil Rights (“OCR”), I am writing to inform you that OCR is proposing to impose a civil money penalty (“CMP”) of $1,190,000 against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast”).

This proposed action is being taken under the regulations promulgated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), § 262(a), Pub.L. 104-191, 110 Stat. 1936, as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009, Public Law 111-5, Section 13410, codified at 42 U.S.C. § 1320d-5, at 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164.

I. The Statutory Basis for the Proposed CMP

The Secretary of HHS is authorized to impose a CMP (subject to the limitations set forth at 42 U.S.C. § 1320d-5(b)) against any covered entity, as described at 42 U.S.C. § 1320d-1(a), that violates a provision of Part C (Administrative Simplification) of Title XI of the Social Security Act. See HIPAA, § 262(a), as amended, 42 U.S.C. § 1320d-5(a). This authority includes imposing CMPs for violations of the applicable provisions of the Federal Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (ePHI) (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Notification Rule (45 C.F.R. Parts 160 and 164, Subpart D). The Secretary has delegated enforcement responsibility for the HIPAA Rules to the Director of OCR. See 65 Federal Register (Fed. Reg.) 82381 (Dec. 28, 2000) and 74 Fed. Reg. 38630 (July 27, 2009). OCR is authorized under the HITECH Act § 13410, 42 U.S.C. § 1320d-5(a)(3),1 to impose CMPs for violations occurring on or after February 18, 2009,2 of:

  • A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3 The adjusted amounts are applicable only to CMPs whose violations occurred after November 2, 2015.

OCR is precluded from imposing a CMP unless the action is commenced within six years from the date of the violation.4

II. Findings of Fact

  1. Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast”)is a pain management medical practice with 126 employees, and locations in Alabama, Florida, Delaware, Maryland, New Jersey, and Pennsylvania.
  2. Gulf Coast is a covered entity as defined at 45 C.F.R. § 160.103, and, therefore, is required to comply with the HIPAA Rules.
  3. Gulf Coast is a health care provider that transmits health information in electronic form in connection with transactions for which HHS has adopted standards, including electronically submitting insurance claims for payment.
  4. On May 3, 2018, Gulf Coast retained an independent contractor to provide business consulting The contract term between Gulf Coast and the Contractor was to last for one year, beginning on May 8, 2018, and ending on April 30, 2019.
  5. The Contractor stopped providing services to Gulf Coast in August of 2018.
  6. On February 20, 2019, Gulf Coast discovered that on three occasions, between September 7, 2018, and February 3, 2019, the Contractor impermissibly accessed Gulf Coast’s electronic medical record (EMR) system and accessed the electronic protected health information (ePHI) of approximately 34,310 individuals. It was later discovered that the Contractor generated medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. The Contractor was indicted under 18 U.S.C. §1347 and §1028(a)(1) and was ultimately found not guilty.
  7. On February 21, 2019, Gulf Coast terminated the independent contractor’s access to its systems.
  8. On April 5, 2019, Gulf Coast filed a breach report with OCR concerning this incident. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
  9. On June 28, 2019, OCR notified Gulf Coast, in writing, of its commencement of an investigation of this breach report and of Gulf Coast’s compliance with the HIPAA Privacy, Security and Breach Notification Rules.
  10. The evidence collected during OCR’s investigation reveals that Gulf Coast did not conduct a thorough and accurate risk analysis as required by 45 C.F.R. § 164.308(a)(ii)(A) prior to the breach incident. Gulf Coast did not conduct a risk analysis that complies with the Security Rule until September 30, 2022.
  11. The evidence collected during OCR’s investigation revealed that Gulf Coast had not implemented policies and procedures to regularly review records of information system activity containing ePHI as required by 45 C.F.R. §164.308(a)(1)(ii)(D) prior to the breach incident. Gulf Coast did not implement a compliant policy until April 10, 2020.
  12. The evidence collected during OCR’s investigation revealed that prior to the breach incident, Gulf Coast did not implement termination procedures to comply with 45 C.F.R. §164.308(a)(3)(ii)(c) that would include removing access to ePHI for workforce members who had separated from Gulf Coast (e.g., when the employment of, or other arrangement with, a workforce member ends). Gulf Coast did not implement a compliant policy until April 10, 2020.
  13. The evidence collected during OCR’s investigation revealed that prior to the breach incident, Gulf Coast did not implement policies and procedures to comply with 45 C.F.R. §164.308(a)(4)(ii)(c) that establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process. Gulf Coast did not implement a compliant policy until April 15, 2020.
  14. On January 23, 2024, OCR notified Gulf Coast of OCR’s investigation results, including the above identified violations of the Security Rule, and offered Gulf Coast an opportunity to resolve the matter informally.
  15. The parties were not able to resolve this matter informally. On March 20, 2024, pursuant to 45 C.F.R. § 160.312(a)(3), OCR sent Gulf Coast a Letter of Opportunity (LOO). The LOO informed Gulf Coast that OCR’s investigation found preliminary indications that Gulf Coast failed to comply with four provisions of the Security Rule, and that this matter had not been resolved by informal means despite OCR’s attempts to do so. The LOO stated that pursuant to 45 C.F.R. § 160.312(a)(3), OCR is providing Gulf Coast with an opportunity to submit written evidence of any mitigating factors (45 C.F.R. § 160.408) or affirmative defenses (45 C.F.R. § 160.410) for OCR’s consideration in determining a civil money penalty (CMP) pursuant to 45 C.F.R. § 160.404. The letter also advised Gulf Coast that it may submit written evidence to support a waiver of a CMP pursuant to 45 C.F.R. § 160.412. Each act of noncompliance under the Security Rule was described in the letter.
  16. Gulf Coast responded to the LOO on April 18, 2024.
  17. OCR determined that the information and arguments submitted by Gulf Coast do not support an applicable affirmative defense pursuant to 45 C.F.R. § 160.410. See Section IV below.
  18. OCR considered factors pursuant to 45 C.F.R. § 160.408, including Gulf Coast’s LOO response alleging a mitigating factor, and aggravating factors based on evidence obtained by OCR during its investigation, in determining the amount of the CMP. See Section V below.
  19. OCR determined that the information and arguments submitted by Gulf Coast do not support a waiver of the CMP pursuant to 45 C.F.R. § 160.412. See Section VI below.
  20. On July 16, 2024, OCR obtained the authorization of the Attorney General of the United States, pursuant to 42 U.S.C. 1320a-7a, prior to issuing this Notice of Proposed Determination to impose a CMP.

III. Basis for CMP

Based on the above findings of fact, OCR has determined that Gulf Coast is liable for the following violations of the HIPAA Rules and, therefore, subject to a CMP:

  1. Gulf Coast did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI it held in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. Gulf Coast failed to implement procedures to regularly review records of information system activity review, such as audit logs, access reports, and security incident tracking reports in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).
  3. Gulf Coast failed to implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends as specified in 45 C.F.R. § 164.308(a)(3)(ii)(c).
  4. Gulf Coast failed to implement procedures for establishing, documenting, reviewing and modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure as specified in 45 C.F.R. § 164.308(a)(4)(ii)(c).

IV. No Affirmative Defenses

By its March 20, 2024, LOO, OCR offered Gulf Coast the opportunity to provide written evidence of affirmative defenses per 45 C.F.R. § 160.410.

OCR determined that the information contained in Gulf Coast’s response dated April 18, 2024, did not provide a basis for an applicable affirmative defense under 45 C.F.R. § 160.410.

V. Factors Considered in Determining the Amount of the CMP

  1. In determining the CMP amount, OCR is required to consider certain factors listed in the regulation at 45 C.F.R. §160.408, which may be mitigating or aggravating as appropriate. Based on evidence gathered during the investigation and information provided by Gulf Coast in its response to the LOO, OCR determined that none of the factors enumerated under 45 C.F.R. § 160.408 should be applied to mitigate nor aggravate the CMP.

    1. 45 C.F.R. § 160.408(a) The nature and extent of the violation. OCR’s investigation found that for over nearly a six-month period, a Gulf Coast workforce member impermissibly access the PHI of more than 34,000 individuals without detection. While this is considered a large number of individuals affected, under the HITECH Act and HIPAA Breach Notification Rule (more than 500 individuals affected), it is not one of the largest reported breaches that OCR receives annually.

      OCR also considered that this investigation found multiple long-standing Security Rule violations. However, Gulf Coast responded to the technical assistance OCR provided during the investigation and to address these compliance deficiencies, such as conducting a security risk analysis and performing a review of user access privileges. As such, OCR considers this as neither an aggravating nor a mitigating factor.

    2. 45 C.F.R. § 160.408(b) The nature and extent of the harm resulting from the violation. OCR does not have any evidence of harm to individuals resulting from the proposed violations. However, the good fortune that there is no evidence of harm is not attributable to any actions by Gulf Coast. As such, OCR finds that this is neither an aggravating nor mitigating factor.

    3. 45 C.F.R. § 160.408(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity.

      OCR has not previously investigated Gulf Coast regarding its compliance with the HIPAA Rules. As such, OCR has no record of any previous matters involving this entity that would demonstrate whether the current violation is the same or similar to previous indications of noncompliance, whether and to what the extent the entity had attempted to correct previous indications of noncompliance, how the entity has responded to technical assistance from OCR provided in the context of a prior compliance effort, or how it responded to prior complaints.

      Ultimately, the lack of previous investigations of Gulf Coast is not evidence of compliance with the HIPAA Rules. This is evident from OCR’s investigative findings that Gulf Coast failed to implement multiple Security Rule provisions for a prolonged period of time, thus demonstrating a history of noncompliance. As such, OCR finds that this is neither an aggravating nor mitigating factor.

    4. 45 C.F.R. § 160.408(d) The financial condition of the covered entity. There is no evidence to suggest that Gulf Coast had financial difficulties that would affect its ability to comply with the requirements of HIPAA, such as costs associated with a HIPAA compliance program that would include workforce training, implementation of policies and procedures, minimum safeguards, etc. Further, Gulf Coast has not provided any evidence that the imposition of the maximum potential CMP will jeopardize its ability to provide healthcare services for its patient population. As such, OCR finds that this is neither a mitigating nor an aggravating factor.
    5. 45 C.F.R. § 160.408(e) Such other matters as justice may require. Based on OCR’s consideration of the totality of the circumstances, OCR finds this is neither a mitigating nor an aggravating factor.

  2. Recognized Security Practices (RSPs): Public Law 116-3218 requires that OCR consider RSPs that HIPAA regulated entities adequately demonstrate had been in place for a period of not less than the previous 12 months when determining a civil money penalty.

    On July 2, 2024, OCR provided Gulf Coast with an opportunity to adequately demonstrate that it had RSPs in place for the previous 12 months. On July 26, 2024, Gulf Coast responded to OCR’s request. Upon examination of Gulf Coast’s responsive materials, OCR determined that Gulf Coast’s response adequately demonstrated that it had RSPs in place for the previous 12 months in alignment with Section 2(c)(15) of the National Institute of Standards and Technology Act. Therefore, OCR applied a reduction to the CMP based on Gulf Coast’s sufficient implementation of RSPs.

VI. Waiver

OCR has determined that there is no basis for waiver of the proposed CMP amount as set forth at 45 C.F.R. § 160.412. Gulf Coast presented no evidence that the payment of the CMP would be excessive relative to the violations found here and described in OCR’s letter to Gulf Coast of March 20, 2024.

VII. Amount of CMP

  1. Amount of CMP Per Violation. Based on the above, OCR finds that Gulf Coast is liable for the following CMPs for each violation described in Section III:

    1. Risk Analysis (45 C.F.R. § 164.308(a)(1)(ii)(A): The total CMP is $500,000. OCR has determined the appropriate penalty tier for this violation is Reasonable Cause.
      1. Calendar Year 2018: 92 days from October 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $126,868, capped at $100,000)
      2. Calendar Year 2019: 365 days from January 1, 2019, to December 31, 2019, at $1,379 per day (Total CMP of $503,335, capped at $100,000)
      3. Calendar Year 2020: 366 days from January 1, 2020, to December 31, 2020, at $1,379 per day (Total CMP of $504,714, capped at $100,000)
      4. Calendar Year 2021: 365 days from January 1, 2021, to December 31, 2021, at $1,379 per day (Total CMP of $503,335, capped at $100,000)
      5. Calendar Year 2022: 273 days from January 1, 2022, to September 30, 2022, at $1,379 per day (Total CMP of $376,467, capped at $100,000)

        Total CMP: $2,014,719, capped at $500,000.
    2. Information System Activity Review (45 C.F.R. § 164.308(a)(1)(ii)(D): The total CMP is $300,000. OCR has determined the appropriate penalty tier for this violation is Reasonable Cause.
      1. Calendar Year 2018: 92 days from October 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $126,868, capped at $100,000)
      2. Calendar Year 2019: 365 days from January 1, 2019, to December 31, 2019, at $1,379 per day (Total CMP of $503,335, capped at $100,000)
      3. Calendar Year 2020: 101 days from January 1, 2020, to April 10, 2020, at $1,379 per day (Total CMP of $139,279, capped at $100,000)

        Total CMP: $769,482, capped at $300,000.
    3. Termination Procedures (45 C.F.R.§164.308(a)(3)(ii)(C): The total CMP is $300,000. OCR has determined the appropriate penalty tier for this violation is Reasonable Cause.
      1. Calendar Year 2018: 92 days from October 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $126,868, capped at $100,000)
      2. Calendar Year 2019: 365 days from January 1, 2019, to December 31, 2019, at $1,379 per day (Total CMP of $503,335, capped at $100,000)
      3. Calendar Year 2020: 101 days from January 1, 2020, to April 10, 2020, at $1,379 per day (Total CMP of $139,279, capped at $100,000)

        Total CMP: $769,482, capped at $300,000.
    4. Access Establishment and Modification 45 C.F.R. §164.308(a)(4)(ii)(c): The total CMP is $300,000. OCR has determined the appropriate penalty tier for this violation is Reasonable Cause, as follows:
      1. Calendar Year 2018: 92 days from October 1, 2018, to December 31, 2018, at $1,379 per day (Total CMP of $126,868, capped at $100,000)
      2. Calendar Year 2019: 365 days from January 1, 2019, to December 31, 2018, at $1,379 per day (Total CMP of $503,335, capped at $100,000)
      3. Calendar Year 2020: 106 days from January 1, 2020, to April 15, 2020, at $1,379 per day (Total CMP of $146,174, capped at $100,000)

        Total CMP: $776,377, capped at $300,000.

    Total CMP for all violations: $1,400,000
    Total CMP with reduction for RSPs: $1,190,000

VIII. Right to a Hearing

Gulf Coast has the right to a hearing before an administrative law judge to challenge these proposed CMPs. To request a hearing, Gulf Coast must mail a request, via certified mail with return receipt requested, under the procedures set forth at 45 C.F.R. Part 160 within 90 days of your receipt of this letter. Such a request must: (1) clearly and directly admit, deny, or explain each of the findings of fact contained in this notice; and (2) state the circumstances or arguments that you allege constitute the grounds for any defense, and the factual and legal basis for opposing the proposed CMP. See 45 C.F.R. § 160.504(c). If you wish to request a hearing, you must submit your request to:

U.S. Department of Health & Human Services
Departmental Appeals Board, MS 6132
Civil Remedies Division
330 Independence Ave, SW
Cohen Building, Room G-644
Washington, D.C. 20201
Telephone: (202) 565-9462

Copy to:
Barbara Stampul, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
61 Forsyth St., S.W., Ste. 16T70
Atlanta, GA 30303
Voice: (800) 368-1019
Fax: (202) 619-3818
TDD: (800) 537-7697
Email: Barbara.Stampul@hhs.gov

A failure to request a hearing within 90 days permits the imposition of the proposed CMP without a right to a hearing under 45 C.F.R. § 160.504 or a right of appeal under 45 C.F.R. § 160.548. If you choose not to contest this proposed CMP, you should submit a written statement accepting its imposition within 90 days of receipt of this notice.

If Gulf Coast does not request a hearing within 90 days, then OCR will notify Gulf Coast of the imposition of the CMP through a separate letter, including instructions on how to make payment, and the CMP will become final upon receipt of such notice.

If you have questions regarding this matter, please contact Ms. Emily Crabbe, Senior Advisor for HIPDC Compliance and Enforcement, at (404) 562-7878 or via email at Emily.Crabbe@hhs.gov.

Sincerely,

/s/
Jammie Randolph

For:
Barbara Stampul
Regional Manager

CC:      Iliana Peters, Polsinelli (via email only at IPeters@Polsinelli.com)

Endnotes

1 The CMPs reflect the penalty tiers described in the Notification of Enforcement Discretion (April 30, 2019). See https://www.federalregister.gov/documents/2019/04/30/2019-08530/notification-of-enforcement-discretion-regarding-hipaa-civil-money-penalties.

2 For violations occurring on or after November 3, 2015, HHS may make annual adjustments to the CMP amounts pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015. The annual inflation amounts are found at 45 C.F.R. § 102.3. For the most recent amounts, see 88 Fed Reg. 69531 (October 6, 2023).

3 See Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Sec. 701 of Public Law 114-74. Current inflation amounts are available at 45 CFR § 102.3.

4 See 42 U.S.C. § 1320a-7a(c)(1); 45 C.F.R. § 160.414.

Content created by Office for Civil Rights (OCR)
Content last reviewed