Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. Recent OCR enforcement serves as reminder that small providers are not exempt from HIPAA regulationArticles

    Article

    Recent OCR enforcement serves as reminder that small providers are not exempt from HIPAA regulation

    Aug 28, 2020

    Share

    By Valerie Montague

    Nonprofit FQHC found to be out of compliance and subject to a fine after a breach investigation.

    While it is not the first enforcement action against a small healthcare provider, a recent enforcement action by the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services serves as a reminder to small entities subject to HIPAA regulation that their size does not negate their compliance obligations.

    On July 23, 2020, OCR released details of a settlement with Metropolitan Community Health Services, doing business as Agape Health Services (“Metro”), a nonprofit, tax-exempt Federally Qualified Health Center (“FQHC”), for potential violations of the HIPAA Security Rule. Pursuant to the settlement, Metro is required to pay $25,000 to OCR and is subject to a corrective action plan that requires monitoring by OCR for two years.

    OCR’s investigation into Metro’s HIPAA compliance was triggered by a 2011 breach report that the FQHC made to OCR. This breach involved the improper transmission of health information regarding 1,263 individuals to an unknown email account. After an investigation, OCR discovered what it referred to as Metro’s “longstanding, systemic noncompliance” with the HIPAA Security Rule. In particular, OCR found that Metro did not conduct any risk analyses, implement policies and procedures as required under the HIPAA Security Rule, or provide security awareness training to its workforce until 2016.

    Metro, as an FQHC, provides medical services to an underserved community in rural North Carolina. It is a relatively small healthcare provider, serving 3,100 patients annually with a staff of 43 employees. OCR, in its press release about the settlement, acknowledged that these factors were considered as part of the settlement.

    Healthcare providers, health plans, and business associates of all sizes that are regulated by HIPAA are required to have a compliance program in place to address the requirements of the HIPAA Privacy, Security, and Breach Notification Rules. With respect to Security Rule compliance, which was what OCR identified as a compliance concern for Metro, HIPAA permits a flexible approach, giving covered entities and business associates the ability to take the size, complexity, and capabilities of its entity into account, as well as the costs and the probability of the risks to the entity’s protected health information. However, that flexibility should not be read as a license to ignore elements of a compliance program, such as HIPAA training or a security risk analysis. As indicated by this enforcement action, even small providers serving vulnerable populations must implement comprehensive HIPAA compliance programs.

    PrivacyPrivacyHealthcareHealth Care And HipaaData Breach

    Practices

    HealthcareHealth Information - Privacy, Security, and Data Sharing

    Insights And Happenings

    • Podcast

      OCR enforcement actions emphasize focus on HIPAA Right of Access Initiative

      Healthcare
      Oct 12, 2022

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL