While it is not the first enforcement action against a small healthcare provider, a recent enforcement action by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services serves as a reminder to small entities subject to HIPAA regulation that their size does not negate their compliance obligations.
On July 23, 2020, OCR released details of a settlement with Metropolitan Community Health Services, doing business as Agape Health Services (“Metro”), a nonprofit, tax-exempt Federally Qualified Health Center (“FQHC”), for potential violations of the HIPAA Security Rule. Pursuant to the settlement, Metro is required to pay $25,000 to OCR and is subject to a corrective action plan that requires monitoring by OCR for two years.
OCR’s investigation into Metro’s HIPAA compliance was triggered by a 2011 breach report that the FQHC made to OCR. This breach involved the improper transmission of health information regarding 1,263 individuals to an unknown email account. After an investigation, OCR discovered what it referred to as Metro’s “longstanding, systemic noncompliance” with the HIPAA Security Rule. In particular, OCR found that Metro did not conduct any risk analyses, implement policies and procedures as required under the HIPAA Security Rule, or provide security awareness training to its workforce until 2016.
Metro, as an FQHC, provides medical services to an underserved community in rural North Carolina. It is a relatively small healthcare provider, serving 3,100 patients annually with a staff of 43 employees. OCR, in its press release about the settlement, acknowledged that these factors were considered as part of the settlement.
Healthcare providers, health plans, and business associates of all sizes that are regulated by HIPAA are required to have a compliance program in place to address the requirements of the HIPAA Privacy, Security, and Breach Notification Rules. With respect to Security Rule compliance, which was what OCR identified as a compliance concern for Metro, HIPAA permits a flexible approach, giving covered entities and business associates the ability to take the size, complexity, and capabilities of its entity into account, as well as the costs and the probability of the risks to the entity’s protected health information. However, that flexibility should not be read as a license to ignore elements of a compliance program, such as HIPAA training or a security risk analysis. As indicated by this enforcement action, even small providers serving vulnerable populations must implement comprehensive HIPAA compliance programs.