North Carolina healthcare provider, OCR reach settlement following security issues

July 28, 2020
Medicare Web

Metropolitan Community Health Services (MCHS),  a federally qualified health center that provides discounted medical services to underserved populations in rural North Carolina, agreed to pay $25,000 to the Office for Civil Rights (OCR) and adopt a corrective action plan to settle potential violations of the HIPAA Security Rule, OCR announced on July 23.

The fine stems from a June 2011 breach report regarding the impermissible disclosure of protected health information (PHI) and the organization’s subsequent failure to implement security policies and procedures, conduct risk analyses, and provide workforce members with adequate training, as required by HIPAA.

According to the resolution agreement, an OCR investigation into MCHS learned of “widespread compliance issues.” MCHS failed to offer its staff security training until June 30, 2016. Additionally, OCR found that MCHS failed to conduct accurate and thorough assessments of the potential risks and vulnerabilities.

In addition to the $25,000 fine, MCHS agreed to a number of corrective actions. It will complete an accurate and thorough enterprise-wide analysis of security risks and vulnerabilities, incorporating all its electronic equipment, data systems, programs, and applications. MCHS agreed to submit to HHS the scope and methodology by which it proposes to conduct the risk analysis, which must be conducted within 120 days of HHS’ approval.

Within 60 days of approval of the risk analysis, MCHS must develop an organization-wide risk management plan to address identified security risks and vulnerabilities. It must also receive HHS approval on written policies and procedures regarding the HIPAA Privacy, Security, and Breach Notification Rules, as well as HHS approval on training materials. Within 30 days of approval, training must be provided to all workforce members.

The agreement does not represent an admission of liability by MCHS.

The corrective plan also involves two years of HHS monitoring.

Related Topics: 
HIPAA