The Department of Health and Human Services’s Office of Civil Rights (OCR) has levied a $25,000 fine against a healthcare provider to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) for “widespread compliance issues” that were uncovered after a data breach occurred.
A copy of the corrective action plan for Metropolitan Community Health Services in North Carolina, doing business as Agape Health Services, can be accessed by clicking here.
“Healthcare providers owe it to their patients to comply with the HIPAA Rules,” said Roger Severino, OCR’s Director, in a statement. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Nearly a decade ago, back in 2011, the healthcare provider uncovered a data breach that compromised the personal information of 1,263 patients. The provider reported the breach to the OCR, which began an investigation.
During the investigation, OCR uncovered that the provider was not in compliance with HIPAA’s Security Rule because it failed to implement the proper policies and procedures, did not provide the proper security and awareness training until 2016, and failed to conduct an assessment of potential risks and vulnerabilities to its ePHI.
Along with paying the $25,000 fine, the healthcare provider has also agreed to:
- Conduct and complete an accurate, thorough, enterprise-wide analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs, and applications
- Review and update its policies and procedures
- Develop proper training materials