Small North Carolina Healthcare Provider to Pay $25,000 to Settle HIPAA Security Rule Violation

The HHS’ Office for Civil Rights (OCR) stated that the Metropolitan Community Health Services has agreed to pay $25,000 to settle its HIPAA Security Rule violations.

Metropolitan Community Health Services based in Washington, NC is a Federally Qualified Health Center that offers integrated medical, behavioral health, dental & pharmaceutical services for grownups and kids. Doing business as Agape Health Services, Metro offers marked down healthcare services to the underserved citizenry in rural North Carolina. It has about 43 workers and 3,100 patients every year.

Metropolitan Community Health Services submitted a report to OCR on June 9, 2011 regarding a breach potentially impacting 1,263 patients’ protected health information. OCR carried out a compliance audit to determine if the breach was due to HIPAA rules noncompliance. The OCR audit revealed Metro’s persistent, systemic noncompliance with the HIPAA Security Rule.

Before the data breach, Metropolitan Community Health Service was unable to carry out HIPAA Security Rule policies and procedures, which violates 45 C.F.R. §164.316. It also failed to conduct an appropriate and comprehensive evaluation of the likely risks to the integrity, confidentiality, and availability of ePHI, which violates 45 C.F.R. § 164.308(a)(l )(ii)(A). In spite of doing business starting 1999, Metro did not provide its workforce with any HIPAA security awareness and training before June 30, 2016, which violates 45 C.F.R. §164.308(a)(5).

When making a decision about a suitable settlement, OCR considered the size of the company and a number of other variables. Besides paying the $25,000 financial penalty to settle its violation of HIPAA, Metropolitan Community Health Services accepted the requirement to implement a strict corrective action plan and is going to make sure to implement the policies and procedures according to the standards mandated by HIPAA. Metropolitan Community Health Services’ compliance with the corrective action plan is going to be supervised for two years.

This HIPAA violation penalty is the second case enforced on a HIPAA covered entity this 2020 to settle a HIPAA Rules violation. The first case in March 2020 involved a $100,000 financial penalty paid by Steven A. Porter, M.D for its failure to comply with risk analysis and risk management requirements.

The fine demonstrates that healthcare companies, both big and small, need to comply with the HIPAA Guidelines. Health care companies are obligated to comply with the HIPAA Rules for their patients’ sake. When there’s a potential HIPAA violation, healthcare providers have the responsibility to their patients to immediately deal with problem areas to secure the health data of their patients.