Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) announced that it has reached a $25,000 settlement with Metropolitan Community Health Services to deal with violations of the HIPAA Security Rule.

Metropolitan Community Health Services based in Washington, NC is a Federally Qualified Health Center that offers integrated medical, dental, behavioral health & pharmacy services for adults and children. Doing business as Agape Health Services, Metro gives marked down medical services to the underserved citizenry located in rural North Carolina. Metropolitan Community Health Services has about 43 workers and assists 3,100 patients every year.

On June 9, 2011, Metropolitan Community Health Services submitted a report to OCR regarding a breach of 1,263 patients’ protected health information (PHI). OCR performed a compliance review to determine whether the breach resulted from noncompliance with the HIPAA Rules. The OCR investigation discovered persistent, systemic noncompliance with the HIPAA Security Rule.

Before the breach occurred, Metropolitan Community Health Service was unable to impose HIPAA Security Rule policies and processes, in violation of 45 C.F.R. §164.316, and an appropriate and comprehensive evaluation of the potential threats to the integrity, confidentiality, and availability of ePHI was not done, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). In spite of being in business starting from 1999, the provider did not have any HIPAA security awareness and training for its workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

If determining an ideal settlement, OCR thought about the size of the company and a number of other variables. Besides shelling out a financial penalty of $25,000 to take care of the HIPAA violations, Metropolitan Community Health Services agreed to follow a solid corrective action plan and will make sure to implement policies and procedures according to the specifications demanded by HIPAA. For two years, Metropolitan Community Health Services will be supervised if it complies with the set corrective action plan.

This $25,000 settlement is the second in 2020 that a HIPAA covered entity paid to resolve its violations of HIPAA Rules. The first settlement in March 2020 involved a $100,000 financial penalty paid by Steven A. Porter, M.D regarding risk analysis and risk management failures.

The fine demonstrates that healthcare organizations, large or small, must comply with HIPAA Rules. Health care organizations owe it to their patients to comply with the HIPAA Rules. When notified of probable HIPAA violations, providers need to immediately deal with problem areas to protect the health information of individuals, according to OCR Director Roger Severino.