NC Health Center Pays HIPAA Settlement

The U.S. Department of Health and Human Services (HHS) announced on July 23 that Metropolitan Community Health Services (Metro) paid $25,000 to HHS’s Office for Civil Rights (OCR) to resolve HIPAA violations. Metro, a Federally Qualified Health Center, operates two multidisciplinary medical clinics in eastern North Carolina under the name of Agape Health Services.

Metro filed a breach report in June 2011 after an impermissible disclosure of electronic protected health information of 1,262 patients. Upon investigation, OCR determined that until 2016, Metro failed to conduct risk analyses, implement security policies and procedures, or provide HIPAA training to its workforce, all as required by the HIPAA Security Rule.

In setting a small financial penalty, OCR took into account that Metro provides discounted medical services to an underserved rural population. Metro’s Resolution Agreement with OCR includes a Corrective Action Plan that requires Metro to conduct annual risk assessments, adopt appropriate policies and procedures, and submit to monitoring of its HIPAA compliance for two years, among other steps.