Medical Practice Ordered to Pay HIPAA Civil Monetary Penalty Following Acquisition | Saul Ewing LLP

In October 2024, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced the imposition of a civil monetary payment against Providence Medical Institute (“PMI”), a large medical practice based in Southern California with 275 providers who work in 35 medical offices. PMI did not contest OCR’s Notice of Proposed Determination (“NPD”) and findings of fact it received in March 2024, and the OCR’s notice of final determination affirmed the NPD.

What You Need to Know:

• OCR announced the imposition of a civil monetary payment against a large medical practice based in Southern California.
• The incident involved three separate ransomware attacks and some significant IT failures, following the medical practice’s acquisition of another provider.
• OCR’s response is an important reminder of the need for careful due diligence and timely and complete integration efforts, including IT issues, following an acquisition.

In July 2016, PMI acquired an orthopedic practice, the Center for Orthopaedic Specialists (“COS”), and commenced a two-year transition process to integrate COS within PMI. In February 2018, the COS systems containing electronic protected health information (“ePHI”) were encrypted in a ransomware attack after a member of its workforce clicked on a phishing email. One week later, COS was subjected to a second ransomware attack. Two weeks after the second ransomware attack, COS was impacted by a third ransomware attack! In April 2018, PMI filed a breach report with OCR and noted the compromised COS ePHI affected 85,000 individuals. 

During the course of OCR’s investigation of PMI, OCR learned that PMI did not have a business associate agreement with COS’s IT vendor, and POM failed to “implement the required technical policies and procedures for COS’s electronic information systems … to allow access only to those persons or software programs that have been granted access rights.” 

In reaching its decision to impose a $240,000 CMP against PMI, OCR considered the following factors:

• The nature and extent of the violation.
• The nature and extent of the harm resulting from the violation. 
• PMI’s history of prior compliance with HIPAA. 
• The financial condition of the covered entity.

OCR determined the total CMP owed by PMI was $300,000; but offset the CMP by 20 percent to reflect PMI’s recognized security practices in effect.

Practice sales and acquisitions by health systems, hospitals, medical practices and/or private equity are regular occurrences within the health care delivery system. The PMI NPD may be attributed to some bad luck – three different ransomware attacks within a very short period of time – and the IT challenges and implementation timeline associated with any medical practice transition. The NPD did not discuss any indemnification provisions that were part of the PMI and COS transaction or the availability of insurance to offset any financial costs resulting from the OCR investigation or the CMP. The PMI NPD is an important reminder of the need for careful due diligence and timely and complete integration efforts, including IT issues, post-closing.

A copy of the PMI NPD is located here, and the notice of final determination may be found here.