Metropolitan Community Health Services (Metro), doing business as Agape Health Services, has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina and these facts were taken into account in reaching this agreement.
On June 9, 2011, Metro filed a breach report regarding the impermissible disclosure of protected health information to an unknown email account.
The breach affected 1,263 patients. OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule.
In addition to the monetary settlement, Metro will undertake a corrective action plan that includes two years of monitoring.
The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs.
The HIPAA Journal points out that there are hundreds of ways that HIPAA Rules can be violated, although the most common HIPAA violations are, among others:
- Impermissible disclosures of protected health information (PHI);
- Unauthorized accessing of PHI;
- Improper disposal of PHI;
- Failure to conduct a risk analysis;
- Failure to manage risks to the confidentiality, integrity, and availability of PHI; and
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI;
Many HIPAA violations are discovered by HIPAA-covered entities through internal audits.
Supervisors may identify employees who have violated HIPAA Rules, and employees often self-report HIPAA violations and potential violations by co-workers.