The Office for Civil Rights (OCR) this week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA.

The settlement includes a $25,000 payment to OCR by Peachstate, a corrective action plan, and three years of monitoring by OCR.

OCR initiated a compliance review of Peachstate in December 2017 to determine its compliance with HIPAA following a report of a data breach by the U.S. Department of Veterans Affairs.  The notification alleged that the data breach was caused by the VA’s vendor, which was subsequently acquired by Peachstate.

According to OCR’s press release, “OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.”

OCR further stated, “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”