(Peachstate Pays $25,000 to Settle Potential HIPAA violation
RESOLUTION AGREEMENT
I. Recitals
1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
A. The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”), which enforces the Federal standards that govern the privacy of
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of
Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of
Part 164, the “Security Rule”), and the Federal standards for notification in the case of
breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and
D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to
conduct compliance reviews and investigations of complaints alleging violations of the
Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities
and business associates, and covered entities and business associates must cooperate with
HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and
160.310(b).
B. Peachstate Health Management, Inc. d/b/a AEON Clinical Laboratories
(Peachstate), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is
required to comply with the HIPAA Rules. Peachstate is a CLIA-certified laboratory,
which provides, among other things, clinical and genetic testing services mainly through
its publicly-traded parent company, AEON Global Health Corporation (AGHC).
HHS and Peachstate shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct. On January 7, 2015, the U.S. Department
of Veterans Affairs (VA) reported a breach of unsecured protected health information (PHI)
involving the VA’s Telehealth Services Program managed by its business associate, Authentidate
Holding Corporation (AHC). On August 31, 2016, OCR initiated a compliance review of AHC
to determine its compliance with the Privacy and Security Rules related to the breach
(transaction number 16-247815). During the compliance review, it was learned that AHC and
Peachstate had earlier entered into a “reverse merger” on January 27, 2016, whereby AHC
acquired Peachstate. As a result, OCR opened a compliance review into the clinical laboratories
of Peachstate to assess the clinical laboratories’ compliance with the Privacy and Security Rules
(transaction number 18-288838). HHS’ investigation of transaction number 18-288838 indicated
potential violations of the following provisions (“Covered Conduct”):
A. Peachstate failed to conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of
I. Recitals
1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
A. The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”), which enforces the Federal standards that govern the privacy of
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of
Part 164, the “Privacy Rule”), the Federal standards that govern the security of electronic
individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of
Part 164, the “Security Rule”), and the Federal standards for notification in the case of
breach of unsecured protected health information (45 C.F.R. Part 160 and Subparts A and
D of 45 C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to
conduct compliance reviews and investigations of complaints alleging violations of the
Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) by covered entities
and business associates, and covered entities and business associates must cooperate with
HHS compliance reviews and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and
160.310(b).
B. Peachstate Health Management, Inc. d/b/a AEON Clinical Laboratories
(Peachstate), which is a covered entity, as defined at 45 C.F.R. § 160.103, and therefore is
required to comply with the HIPAA Rules. Peachstate is a CLIA-certified laboratory,
which provides, among other things, clinical and genetic testing services mainly through
its publicly-traded parent company, AEON Global Health Corporation (AGHC).
HHS and Peachstate shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct. On January 7, 2015, the U.S. Department
of Veterans Affairs (VA) reported a breach of unsecured protected health information (PHI)
involving the VA’s Telehealth Services Program managed by its business associate, Authentidate
Holding Corporation (AHC). On August 31, 2016, OCR initiated a compliance review of AHC
to determine its compliance with the Privacy and Security Rules related to the breach
(transaction number 16-247815). During the compliance review, it was learned that AHC and
Peachstate had earlier entered into a “reverse merger” on January 27, 2016, whereby AHC
acquired Peachstate. As a result, OCR opened a compliance review into the clinical laboratories
of Peachstate to assess the clinical laboratories’ compliance with the Privacy and Security Rules
(transaction number 18-288838). HHS’ investigation of transaction number 18-288838 indicated
potential violations of the following provisions (“Covered Conduct”):
A. Peachstate failed to conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of