From mid-March to mid-July of 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) was very busy… But not because it was issuing fines. HHS, responding to the COVID-19 pandemic, was releasing guidance on how covered entities and business associates can comply with the HIPAA regulations during this extraordinary time. COVID-19 has not ended, but, it turns out, the fines linger on. On July 23, 2020, an OCR settlement was announced with Metropolitan Community Health Services (Metro) for $25,000. Metro, a federally qualified health center, must also implement a corrective action plan (CAP).
Federally Qualified Health Center Has Been on OCR Radar Since 2011
Since 1999, Metro has operated in the rural areas of Washington and Williamston, North Carolina, providing a wide range of healthcare services to local residents. These services include on-site pharmacy, dental, behavioral health, gynecology, and primary and pediatric care services. Metro employs 43 people and services about 3,100 patients each year.
Download the free cybersecurity eBook to get tips on how to protect your patient information.
In June of 2011, Metro filed a breach report with HHS, indicating that protected health information (PHI) was impermissibly disclosed to an unknown email account. 1,263 patients were affected by the breach. OCR then investigated Metro, finding long-running, systematic noncompliance with the HIPAA Security Rule.
This noncompliance included failure to conduct risk analyses, failure to implement any HIPAA Security Rule policies and procedures, and failure to provide workers with security awareness training until 2016. OCR had planned to fine Metro (currently doing business as Agape Health Services) for these multiple HIPAA Security Rule violations. Metro decided to settle in early March of 2020.
OCR, in reaching the agreement, singled out the fact that Metro is a federally qualified health center (FQHC). A federally qualified health center is a community-based healthcare provider that receives funds from the HHS’ Health Resources and Services Administration’s (HRSA) Health Center Program. A federally qualified health center uses these funds to provide primary care services in underserved areas. A federally qualified health center, in return for receiving federal government money, must provide care on a sliding fee scale. This scale must be based on ability to pay. A federally qualified health center must also operate under a governing board that includes patients.
In announcing the settlement, OCR Director Roger Severino stated: “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”