Last month, leaders from Agape Health Services in rural Washington, North Carolina, were happy to share photos of the shell of a building in neighboring Plymouth, that, within a year, will be transformed as the third location for this federally qualified health center (FQHC). “Here we GROW!” proclaimed the Facebook post. “We’re SUPER excited to be able to serve the citizens of Plymouth…and surrounding areas! Services will include: Primary medical care, dental, behavioral health and an on-site pharmacy!”[1]
Days later, however, Agape was in the news for a different reason: the HHS Office for Civil Rights (OCR) announced that officials had agreed to a $25,000 payment and two-year corrective action plan (CAP) to resolve allegations it wasn’t compliant with the HIPAA security rule until 2016.[2] What was startling about the settlement was the fact that it resulted from a small breach that occurred nine years earlier.
The settlement was just the second OCR released this year, and the amount put it very near the historical bottom for an agency that routinely collects settlements of a million or more. And just days later, OCR announced a $1 million settlement[3] that dwarfed Agape’s.[4]
Yet for Clifton Gray III, the chief compliance officer for Agape, the man who signed that he’ll be responsible for implementing the CAP and submitting all required reports and documents, the $25,000 stung. In fact, Gray—who spoke exclusively to RPP—said the payment was “devastating” to the health center. Still, it was better than what he said OCR first proposed—a fine of $400,000 that would have “forced us to close.”
No Known Harm From 2011 Breach
Gray told RPP that what gives him “indigestion” is that OCR officials were not willing to consider Agape’s more recent compliance history. “I don't think it’s fair for us to be held accountable for something that stemmed from 2011,” said Gray. Agape signed the agreement with OCR to avoid a more costly court battle. “In order not to waste our resources, we went ahead with $25,000 just to settle it and move on,” he said. In a brief email, OCR officials told RPP the agency “does not comment on settlement discussions,” and repeated language from the announcement regarding Agape’s alleged “long-standing, systemic noncompliance.”
Nearly nine years passed from the date of the breach to the Agape settlement, seemingly the longest time from an incident to an agreement in OCR’s history. Typically cases are settled within five years or less, and recent ones involving patients accessing their records have been turned around in under two years.[5] It took OCR six years to reach an $800,000 settlement with Park View Health System Inc. of Fort Wayne, Indiana, in a case that, like this one, was marked by fits and starts.[6]
OCR referred to Agape in the settlement documents as Metropolitan Community Health Services Inc., doing business as Agape.[7] Like other FQHCs, it operates on a sliding scale and accepts Medicare and Medicaid as well as commercial insurance plans at its two locations in Eastern North Carolina. It was founded in the city of Washington in 1998 (which is referred to as part of the “Inner Banks”), and added another location in Williamston in 2013.
Metropolitan filed a breach report on June 9, 2011, regarding protected health information (PHI) for 1,263 people that was disclosed “to an unknown email account.” Gray told RPP an unencrypted email was sent to an attorney working for Agape, but the address was wrong, so Agape wasn’t sure where the email went. He said there has never been any evidence of fraud or other misuse associated with the misdirected email.
In its July 24 settlement announcement, OCR said its investigation into the incident “revealed longstanding, systemic noncompliance with the HIPAA Security Rule,” contending that Agape hadn’t conducted “any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.”
Unlike other announcements that sometimes feature especially stern or scolding language, this one was relatively mild and generic in tone. “Health care providers owe it to their patients to comply with the HIPAA Rules,” said OCR Director Roger Severino. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Agape: Case Was Dormant for Years
The entire management staff has turned over since 2011, and several key leaders and the person who was in charge of compliance are deceased, Gray said. According to Gray, OCR “sat on” the case, and Agape didn’t hear from OCR after the breach report in 2011 until 2015 or 2016 when OCR requested documents, which were submitted.
Then the case lay dormant again until last fall. The center had no sense OCR was still investigating Agape until October, ultimately telling officials that there was “reason to believe that we were out of compliance” until 2016, said Gray. “We told them that we have all these policies [now], we can send them, we can send them out a risk assessment, all the things they said we didn’t have. They didn't want to see anything. They just went off of what happened previously.”
When OCR officials, said Gray, initially proposed a payment of $400,000, “we just told them there was no way we would be able to pay that,” and Agape officials countered with a zero payment. OCR representatives said “there had to be something” and agreed to settle for $25,000, according to Gray.
Agape experienced “growing pains” in 2011, but “those days are long past Agape,” Gray said, adding that the center asked to be judged based on its current compliance efforts, but OCR’s focus was on the time of the breach.
“2011 was ages ago, and that is something that we concentrated on [in] our response to OCR,” said Gray, who added that he joined Agape in June 2019. “I was flabbergasted that there wasn’t a statute of limitations from the way that they approached it.”
By comparison, in 2011, Agape had approximately 10 employees, and now it has more than 80 among the two locations. The third is expected to employ up to 20 people, Gray said. “We’re just not the same organization at all. So that’s the problem.” The OCR settlement states that Agape serves 3,100 patients annually, but Agape said the number is more than 5,200.
This is not OCR’s first settlement with an FQHC, and it shares other elements with an earlier agreement—including OCR’s $400,000 offer to Agape. That is the amount the similarly named Metro Community Provider Network of Englewood, Colorado, agreed to pay in 2017 for a breach six years earlier.[8]
In that case, workers fell prey to a phishing scam that exposed the PHI of 3,200 individuals. Like Agape, OCR said Metro had failed to conduct a risk analysis initially and then undertook one that the agency considered insufficient. The settlement also included a CAP, but for three years.
Recommendation to Beat Deadlines
RPP asked whether implementing the CAP will be easy given what Gray described as Agape’s current state of compliance. “I really don’t see where we’ll have any problem with the corrective action plan,” he said. Policies are updated and current, training is appropriate and ongoing, he said.
RPP asked Gray if he had any advice to share with other compliance officials, having gone through the settlement process with OCR.
Noting that “I was not the compliance person that was here when OCR came knocking at first,” he recommended meeting (or beating) any deadline to produce documents or implement any other required actions.
“That has always been my philosophy—try to meet the deadline before the deadline comes. That is what my advice would be. Don’t let the deadline catch you where you have to ask for an extension of time.”
Dedicated to Compliance
Gray also described the settlement as a perhaps unwelcome but necessary action. Gray wasn’t even aware that OCR had announced the settlement until he started getting calls from vendors wanting to sell him compliance products and services, he said.
“We were just all into the business of trying to serve our constituency,” Gray said, adding that “sometimes you just take some things on the chin. It’s kind of like my dad used to always tell me when I was growing up, you’ve got to know how to choose your battles. You can fight the principle of a thing, but sometimes it’s best to just let things be. We definitely had a principle fight that we could have lodged, but we couldn’t afford [it]. So we were just stuck between a rock and hard place.”
But complying with the CAP and HIPAA are paramount, he said.
“I inherited this situation,” Gray pointed out. “I take responsibility for what happens now.” The CAP is “something that we have to deal with and make sure [noncompliance] doesn’t happen again.”
Contact Gray at cgray@agapechc.org.