North Carolina Health Care Provider Settles with OCR for Potential HIPAA Violations
On July 23, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that North Carolina health care provider, Metropolitan Community Health Services d/b/a Agape Health Services (Agape), agreed to pay $25,000 and adopt an extensive corrective action plan to settle potential HIPAA violations.
The settlement stems from a June 9, 2011 breach report filed by Agape regarding an inappropriate disclosure of the protected health information of 1,263 patients to an unknown email address. Upon investigation, OCR identified “longstanding, systemic noncompliance” by Agape with the HIPAA Security Rule.
Specifically, OCR’s investigation revealed the following deficiencies:
- Failure to implement HIPAA Security Rule policies and procedures.
- Failure to provide HIPAA Security Awareness and Training.
- Failure to conduct thorough risk assessment of ePHI.
As part of the corrective action plan, Agape is required to take the following action with oversight and reporting to OCR:
- Conduct enterprise-wide risk analysis and develop complete inventory of all hardware and software that contain or store ePHI.
- Review, revise, and distribute written policies and procedures to comply with the Privacy, Security, and Breach Notification Rules. For a list of specific policies and procedures listed in the corrective action plan, see page 8 of the Resolution Agreement.
- Create HIPAA Privacy and Security training materials and provide routine training to the entire workforce. Agape is required to review the training annually and update it to reflect changes in federal law, HHS guidance, and any other relevant developments.
In announcing the settlement, OCR Director Roger Severino stated that “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Health care providers, large and small alike, must be aware that OCR continues its oversight and enforcement action even during the COVID-19 pandemic. Providers should use this Resolution Agreement as an opportunity to review and update their own policies and procedures and to conduct a thorough assessment of potential security risks within the covered entity and its business associates.
For a complete copy of the Resolution Agreement, click here.