North Carolina Health Care Provider Settles with OCR for Potential HIPAA Violations

On July 23, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that North Carolina health care provider, Metropolitan Community Health Services d/b/a Agape Health Services (Agape), agreed to pay $25,000 and adopt an extensive corrective action plan to settle potential HIPAA violations.

The settlement stems from a June 9, 2011 breach report filed by Agape regarding an inappropriate disclosure of the protected health information of 1,263 patients to an unknown email address. Upon investigation, OCR identified “longstanding, systemic noncompliance” by Agape with the HIPAA Security Rule.

Specifically, OCR’s investigation revealed the following deficiencies:

  • Failure to implement HIPAA Security Rule policies and procedures.
  • Failure to provide HIPAA Security Awareness and Training.
  • Failure to conduct thorough risk assessment of ePHI.

As part of the corrective action plan, Agape is required to take the following action with oversight and reporting to OCR:

  • Conduct enterprise-wide risk analysis and develop complete inventory of all hardware and software that contain or store ePHI.
  • Review, revise, and distribute written policies and procedures to comply with the Privacy, Security, and Breach Notification Rules. For a list of specific policies and procedures listed in the corrective action plan, see page 8 of the Resolution Agreement.
  • Create HIPAA Privacy and Security training materials and provide routine training to the entire workforce. Agape is required to review the training annually and update it to reflect changes in federal law, HHS guidance, and any other relevant developments.

In announcing the settlement, OCR Director Roger Severino stated that “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”

Health care providers, large and small alike, must be aware that OCR continues its oversight and enforcement action even during the COVID-19 pandemic. Providers should use this Resolution Agreement as an opportunity to review and update their own policies and procedures and to conduct a thorough assessment of potential security risks within the covered entity and its business associates.

For a complete copy of the Resolution Agreement, click here.

About the Author

A shareholder at Young Moore, David advises clients in matters related to healthcare privacy and data security, breach notification and reporting requirements, and HIPAA compliance. David assists covered entities and business associates with HIPAA privacy and security policies and procedures, incident response and investigation, and workforce and management training. David currently serves as the Interim Associate Compliance Officer and Director of Privacy of an Academic Medical Center in North Carolina. In addition, David maintains a litigation practice where he represents clients in business litigation, products and premises liability, and transportation. Read More


Electronic mail or other oral or written communication to Young Moore and Henderson P.A. in connection with a matter for which we do not already represent you may not be treated as privileged or confidential. Communications are not privileged until the client and lawyer have agreed on legal representation. Please do not send confidential information to us via e-mail or in any other manner without first communicating directly with us about the attorney-client relationship. The transmission of an e-mail request for information does not create an attorney-client relationship. Your initial email should only contain a list of the parties interested in the matter so that we can make sure we have no conflicts before you convey any information about your case.

Accept Decline