On July 23, 2020, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a resolution agreement with a small health care provider regarding an alleged breach of HIPAA Security Rule requirements.
OCR alleged that the provider, Metropolitan Community Health Services (Metro), failed to conduct any security risk analyses, failed to implement HIPAA Security Rule policies and procedures, and failed to provide its workforce with HIPAA security awareness training until 2016. OCR’s investigation of Metro began when Metro filed a HIPAA breach report on June 9, 2011, following its impermissible disclosure of the PHI of 1,263 patients. Metro is a small Federally Qualified Health Center that provides discounted medical services to the underserved in rural North Carolina. According to HHS, Metro’s mission and source of funding were taken into account in reaching the resolution agreement.
Under the terms of the agreement, Metro was required to pay $25,000 to HHS and is subject to a 2-year corrective action plan. At a high level, the corrective action plan requires Metro to: (i) conduct a compliant security risk analysis (i.e., an enterprise-wide analysis of its data security risks and vulnerabilities), develop a risk management plan, and conduct assessments of its risks and vulnerabilities annually; (ii) revise its written policies and procedures to comply with the HIPAA Privacy, Security, and Breach Notification Rules; and (iii) provide HHS-approved training on its HIPAA policies and procedures to all employees, as well as routine retraining as needed.
This resolution agreement was the second HIPAA settlement announced by OCR in 2020. This year’s first settlement, which was with a sole practitioner physician provider for $100,000 and also was based on Security Rule noncompliance, was accompanied by the OCR Director’s statement that “all health care providers, large and small, need to take their HIPAA obligations seriously.” Notably, OCR announced a third – much larger – settlement with Lifespan Health System Affiliated Covered Entity of $1.04 million on July 27, 2020, related to the theft of an unencrypted laptop.
Together with the Metro resolution agreement, these settlements illustrate OCR’s continued and longstanding emphasis on Security Rule requirements and underscore that compliance is critical for all providers, large and small.