HHS OCR Reaches HIPAA Settlement with Small Rural Health Care Provider

Arnall Golden Gregory LLP

On July 23, 2020, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a small health care provider regarding an alleged breach of HIPAA Security Rule requirements.

OCR alleged that the provider, Metropolitan Community Health Services (Metro), failed to conduct any security risk analyses, failed to implement HIPAA Security Rule policies and procedures, and failed to provide its workforce with HIPAA security awareness training until 2016. OCR’s investigation of Metro began when Metro filed a HIPAA breach report on June 9, 2011, following its impermissible disclosure of the PHI of 1,263 patients. Metro is a small Federally Qualified Health Center that provides discounted medical services to the underserved in rural North Carolina. According to HHS, Metro’s mission and source of funding were taken into account in reaching the resolution agreement.

Under the terms of the agreement, Metro was required to pay $25,000 to HHS and is subject to a 2-year corrective action plan. At a high level, the corrective action plan requires Metro to: (i) conduct a compliant security risk analysis (i.e., an enterprise-wide analysis of its data security risks and vulnerabilities), develop a risk management plan, and conduct assessments of its risks and vulnerabilities annually; (ii) revise its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and (iii) provide HHS-approved training on its HIPAA policies and procedures to all employees, as well as routine retraining as needed.

This resolution agreement was the second HIPAA settlement announced by OCR in 2020. This year’s first settlement, which was with a sole practitioner physician provider for $100,000 and also was based on Security Rule noncompliance, was accompanied by the OCR Director’s statement that “all health care providers, large and small, need to take their HIPAA obligations seriously.” Notably, OCR announced a third – much larger – settlement with Lifespan Health System Affiliated Covered Entity of $1.04 million on July 27, 2020, related to the theft of an unencrypted laptop.

Together with the Metro resolution agreement, these settlements illustrate OCR’s continued and longstanding emphasis on Security Rule requirements and underscore that compliance is critical for all providers, large and small. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide