$25,000 Fine for HIPAA Security Rule Noncompliance Sanctioned against Small North Carolina Healthcare Provider

The HHS’ Office for Civil Rights (OCR) has revealed that a $25,000 settlement has been agreed with Metropolitan Community Health Services to settle breaches of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that supplies integrated medical, dental, behavioral health & pharmacy services for adults and children. Working as Agape Health Services, Metro provides discounted medical services to people in rural North Carolina. Metropolitan Community Health Services has around 43 staff and treats 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services submitted a report with OCR in relation to a breach of the protected health information of 1,263 patients. OCR carried out a compliance review to figure out whether the breach was due to noncompliance with the HIPAA Rules. The OCR review uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Before the breach, Metropolitan Community Health Service had failed to create HIPAA Security Rule policies and procedures, in breach of 45 C.F.R. §164.316, and an accurate and thorough assessment of the possible dangers to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been given to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When choosing an appropriate settlement, OCR took the size of the organization and many other factors into account. Along with paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to put in place an in depth corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be reviewed for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation fine to be sanctioned on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 fine in March 2020 for Steven A. Porter, M.D for risk analysis and risk management shortcomings.

The fine confirms that healthcare suppliers, large and small, are required to adhere with HIPAA Rules.

Roger Severino, OCR Director said: “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information”.