HIPAA Security Rule Breach Results in $25,000 for Small North Carolina Healthcare Provider

The HHS’ Office for Civil Rights (OCR) has revealed that a $25,000 settlement has been agreed with Metropolitan Community Health Services to settle breaches of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that supplies integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has approximately 43 employees and serves 3,100 patients annually.

On June 9, 2011, Metropolitan Community Health Services submitted a report with OCR in relation to a breach of the protected health information of 1,263 patients. OCR completed a compliance review to establish whether the breach was due to noncompliance with the HIPAA Rules. The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule.

Before the breach, Metropolitan Community Health Service had not put in place HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough review of the potential risks to the confidentiality, integrity, and availability of ePHI had not been completed, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in breach of 45 C.F.R. §164.308(a)(5).

When deciding on a sufficient settlement, OCR took the size of the group and several other factors into account.  Along with to paying a fine of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to implement a thorough corrective action plan and will ensure policies and procedures are configured to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a duration of two years.

This is the second HIPAA violation penalty to be sanctioned on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 fine in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

Roger Severino, OCR Director, said: “The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”