Small North Carolina Health Services Agreed to Pay $25,000 for HIPAA Security Rule Violations

The HHS’ Office for Civil Rights (OCR) reported that it has come to a $25,000 settlement deal with Metropolitan Community Health Services to resolve its HIPAA Security rule violations.

Metropolitan Community Health Services centered in Washington, NC is a Federally Certified Health Center which delivers integrated medical, behavioral health, dental & pharmacy assistance for grownups and kids. Working as Agape Health Services, Metro offers cheaper medical services to the underserved people residing in rural North Carolina. Metropolitan Community Health Services has close to 43 personnel and takes care of 3,100 patients annually.

On June 9, 2011, Metropolitan Community Health Services sent in a breach report to OCR about a breach of 1,263 patients’ protected health information (PHI). OCR carried out a compliance audit to find out if the breach was because of HIPAA Rules noncompliance. The OCR team found perpetual, systemic HIPAA Security Rule noncompliance.

Before the breach happened, Metropolitan Community Health Service was not able to enforce HIPAA Security Rule policies and measures, which violates 45 C.F.R. §164.316, and an adequate and detailed analysis of the potential dangers to the integrity, availability and confidentiality of ePHI was not performed, which violates 45 C.F.R. § 164.308(a)(l )(ii)(A). Even though doing business ever since 1999, the provider did not give any HIPAA security awareness and training for its employees before June 30, 2016, which violates 45 C.F.R. §164.308(a)(5).

Whenever making a decision on an acceptable settlement, OCR considered the size of the business and a few other elements. Aside from forking out a financial fine of $25,000 to settle the HIPAA Rule violations, Metropolitan Community Health Services made an agreement to undertake a effective corrective action plan and is going to be sure to execute policies and procedures in accordance with the criteria mandated by HIPAA. In a two-years period, Metropolitan Community Health Services are going to be checked if it conforms with the established corrective action plan.

This $25,000 settlement deal is the second this 2020 that an HIPAA covered entity paid off to resolve its HIPAA Rules violations. The first settlement deal in March 2020 was a $100,000 financial fine paid by Steven A. Porter, M.D with regard to risk evaluation and risk management violations.

The penalty shows that healthcare companies, big or small, need to adhere to HIPAA Regulations. Health care companies are obliged to conform with the HIPAA Regulations. When advised of possible HIPAA violations, providers should promptly solve problem areas to secure the health information of people, as per OCR Director Roger Severino.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at