Even nonprofit healthcare providers risk HIPAA fines – Metro pays $25K for data breach
by Ryan Ozawa
Even small healthcare providers dedicated to helping underserved populations need to be HIPAA compliant.
That’s the lesson learned this summer by Agape Health Services in North Carolina. Operated by Metropolitan Community Health Services, the provider recently agreed to pay $25,000 for its disclosure of the protected health information (PHI) of 1,263 patients.
About Metropolitan Community Health Services
Metropolitan Community Health Services (or Metro) is a 501(c)(3) nonprofit healthcare provider dedicated to rural communities in eastern North Carolina. It is a Federally Qualified Health Center (FQHC). With two locations and a third slated to open this year, Metro provides direct primary and preventive medical, dental, pharmacy, and behavioral health services on a sliding fee scale.
Established in 1998, the health care provider is dedicated to low-income and indigent members of the community, providing services regardless of age, race, or faith. In addition to operating free or low-fee clinics under the name Agape Health Services, Metro also helps clients with housing, finances, and education.
Metro filed a data breach report in 2011 with the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). The breach involved the impermissible disclosure of 1,263 patients’ PHI to an “an unknown email account.”
In other words, Metro fell victim to an email phishing attack.
Through its investigation, HHS found “longstanding, systemic noncompliance with the HIPAA Security Rule.” For example:
- Failure to conduct any risk analyses
- Failure to implement any HIPAA Security Rule policies and procedures
- Failure to provide workforce members with security awareness training until 2016
“Health care providers owe it to their patients to comply with the HIPAA Rules,” said OCR director Roger Severino in the HHS press release. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
What was the penalty?
Under the resolution agreement between Metro and the OCR, Metro did not have to admit liability. However, the healthcare provider agreed to pay $25,000 to OCR, which noted that the low-cost services that Metro provides to its community “were taken into account in reaching this agreement.”
In addition to the monetary settlement, Metro agreed to a corrective action plan that includes:
- Conducting a thorough, enterprise-wide risk and vulnerability analysis
- Upon approval, developing and implementing a risk management plan
- Conducting an accurate and thorough risk and vulnerability assessment every year
Even federally sanctioned, non-profit healthcare providers that help the most vulnerable people need to be HIPAA compliant. Indeed, putting these already disadvantaged clients at risk of identity theft or fraud is especially troubling.
In the Metro case, as in many data breach cases, the unauthorized disclosure of health information occurred via email.
Email is the number one threat vector due to the human factor. Email filtering tools can block a lot of malicious messages, but if even one gets through it just takes one inadvertent click to grant unauthorized access to a hacker.
This is a vulnerability that Paubox Email Suite Plus is designed to address. It addition to enabling healthcare providers to send HIPAA compliant email without relying on passwords or portals, it helps mitigate inbound email threats by utilizing hundreds of checks on each incoming email to protect you against malicious attacks.