Getty Images

OCR Settles with Small Provider for $25K Over Multiple HIPAA Violations

Metropolitan Community Health Services, DBA Agape Health, reported a breach affecting 1,263 patients in 2011. The OCR audit into the incident found several longstanding HIPAA violations.

The Department of Health and Human Services Office for Civil Rights has reached a settlement with North Carolina-based Metropolitan Community Health Services, DBA Agape Health Services, over multiple potential HIPAA violations discovered after a 2011 patient data breach. 

OCR noted that Metro is a Federally Qualified Health Center, which provides discounted medical services to underserved populations. Those facts were taken into account when OCR reached its agreement with the provider. 

This is just the second OCR resolution agreement of 2020, in light of the COVID-19 pandemic. The provider office of Steven Porter, MD in Ogden, Utah reached a $100,000 settlement with OCR in March, after failing to implement some HIPAA security requirements. 

The Metro settlement stems from a health data breach reported to OCR on June 9, 2011. The provider discovered an impermissible disclosure of protected health information to an unknown email account that impacted 1,263 patients. 

OCR launched an audit, which revealed longstanding, systemic noncompliance with the HIPAA Security Rule. The provider failed to conduct any risk analyses, did not implement any HIPAA Security Rule policies and procedures, and neglected to provide its workforce with security awareness training until 2016. 

“Healthcare providers owe it to their patients to comply with the HIPAA Rules,” OCR Director Roger Severino, said in a statement. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information." 

Metro agree to pay the monetary settlement and adhere to a corrective action plan, which will include two years of monitoring. 

To start, the provider must conduct and complete an accurate, thorough analysis of its enterprise security risks and vulnerabilities of all electronic equipment, data systems, programs and applications that contain, store, transmit, or receive ePHI. 

The risk analysis must incorporate a complete inventory of all electronic equipment, data systems, off-site storage, and applications that contain ePHI. Metro must report its planned process for the analysis to OCR for approval. 

Metro will need to annually conduct the risk assessment, documenting the security measures implemented to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level. These plans will also need to be submitted to HHS for review. 

Under the corrective action plan, Metro will need to review and revise its written policies and procedures to comply with HIPAA. Those policies must include PHI uses and disclosures, business associate disclosures, training, and safeguards, as well as breach notification provisions. 

The provider must also submit its planned training materials to HHS for review. Within 30 days of its approval, Metro is required to provide security training to its workforce. New workforce members must receive training within 14 days of initial hiring. 

Lastly, Metro must provide HHS annual reports on its policies and procedures, accounting of business associates, training materials, security implementation, and reportable events, among other items. 

Next Steps

Dig Deeper on HIPAA compliance and regulation