$25,000 Penalty for Small Healthcare Provider for HIPAA Security Rule Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Washington, NC healthcare provider Metropolitan Community Health Services (Metro). Under the terms of the settlement agreement, Metro must pay a $25,000 financial penalty and adopt a corrective action plan to correct all areas of noncompliance with the HIPAA Rules.

Metro is a Federally Qualified Health Center that operates as Agape Health Services and provides medical, dental, behavioral health & pharmacy services for adults and children. Metro provides care to patients in underserved communities in rural North Carolina and has 43 employees and serves around 3,100 patients annually.

Metro submitted a data breach notice to OCR on June 9, 2011 about a breach of the unsecured protected health information of 1,263 patients. OCR conducted an investigation and compliance review to determine whether Metro had implemented HIPAA policies and procedures and was in compliance with the HIPAA Rules. The investigation revealed “longstanding, systemic noncompliance with the HIPAA Security Rule.”

Specifically, Metro had failed to implement HIPAA security policies and procedures, had not conducted an accurate and comprehensive risk assessment to identify risks to the confidentiality, integrity, and availability of ePHI, and did not provided HIPAA security awareness training to the workforce until June 30, 2016, despite operating as a HIPAA covered entity since 1999 and experiencing a data breach that impacted more than a third of its patients.

Multiple HIPAA violations spanning several years could have attracted a sizeable fine, but OCR took several factors into consideration when determining an appropriate financial penalty, including the size of the organization and its means to pay. Under the terms of the settlement, Metro is required to comply with the corrective action plan, report on its HIPAA compliance status, and the healthcare provider will be closely monitored by OCR for compliance over the next 2 years.

“Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

This is the second penalty for noncompliance with the HIPAA Rules to be announced by OCR in 2020. In March 2020, a financial penalty of $100,000 was agreed with Steven A. Porter, M.D to resolve risk analysis and risk management failures.

2020 is likely to see fewer financial penalties issued than in previous years due to the COVID-19 pandemic, but this fine shows that while notices of enforcement discretion have been announced by OCR in response to the nationwide public health emergency, financial penalties will still be imposed for noncompliance with HIPAA.