On July 23, 2020 the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), announced a $25,000 Resolution Agreement and Corrective Action Plan (CAP) with Metropolitan Community Health Services d/b/a Agape Health Services (Metro) to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Metro is a nonprofit Federally Qualified Health Center providing a variety of discounted medical services including on-site pharmacy, dental, behavioral health, gynecology, primary and pediatric care to the underserved population in rural North Carolina. Metro treats approximately 3,100 patients annually – it is a small provider. The Resolution Agreement is not an admission of liability by Metro.
On June 9, 2011, Metro filed a breach report regarding the impermissible disclosure of electronic protected health information (ePHI) to an unknown email account. The breach affected 1,263 patients. OCR conducted a subsequent investigation that revealed longstanding, widespread HIPAA compliance issues. Specifically, OCR determined that Metro did not implement HIPAA Security Rule policies and procedures, neglected to provide workforce members with security awareness training until 2016, and failed to conduct risk analyses.
In addition to paying $25,000, Metro accepted a two (2) year CAP and agreed to perform each of the following:
- Conduct and complete an enterprise-wide analysis of security risks and vulnerabilities for all electronic equipment, data systems, programs, and applications that contain, store, transmit, or receive ePHI and provide the risk analysis to HHS for review and approval;
- Once approved by HHS, develop an organization-wide risk management plan;
- Conduct annual risk assessments, which must be submitted to HHS for review;
- Review and revise Metro’s policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules and provide the updated policies and procedures to HHS for review and approval;
- Adopt, distribute, and routinely update HHS-approved policies and procedures;
- Submit proposed training materials to HHS for approval and thereafter provide training to all workforce members; and
- Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation has occurred, notify HHS within thirty (30) days.
This OCR resolution is a reminder that all covered entities, regardless of size or patient population, must comply with the HIPAA Security Rule. All covered entities should review their Security Rule policies and procedures to ensure they are adequate and up-to-date. Covered entities should also ensure they regularly conduct security awareness trainings with workforce members.