Small N.C. Health Center Pays Price for 2011 Breach, Noncompliance; 'We Had to Move On'

By Theresa Defino

Last month, leaders from Agape Health Services in rural Washington, North Carolina, were happy to share photos of the shell of a building in neighboring Plymouth, that, within a year, will be transformed as the third location for this federally qualified health center (FQHC). “Here we GROW!” proclaimed the Facebook post. “We’re SUPER excited to be able to serve the citizens of Plymouth…and surrounding areas! Services will include: Primary medical care, dental, behavioral health and an on-site pharmacy!”[1]

Days later, however, Agape was in the news for a different reason: the HHS Office for Civil Rights (OCR) announced that officials had agreed to a $25,000 payment and two-year corrective action plan (CAP) to resolve allegations it wasn’t compliant with the HIPAA security rule until 2016.[2] What was startling about the settlement was the fact that it resulted from a small breach that occurred nine years earlier.

The settlement was just the second OCR released this year, and the amount put it very near the historical bottom for an agency that routinely collects settlements of a million or more. And just days later, OCR announced a $1 million settlement[3] that dwarfed Agape’s.[4]

Yet for Clifton Gray III, the chief compliance officer for Agape, the man who signed that he’ll be responsible for implementing the CAP and submitting all required reports and documents, the $25,000 stung. In fact, Gray—who spoke exclusively to RPP—said the payment was “devastating” to the health center. Still, it was better than what he said OCR first proposed—a fine of $400,000 that would have “forced us to close.”

No Known Harm From 2011 Breach

Gray told RPP that what gives him “indigestion” is that OCR officials were not willing to consider Agape’s more recent compliance history. “I don't think it’s fair for us to be held accountable for something that stemmed from 2011,” said Gray. Agape signed the agreement with OCR to avoid a more costly court battle. “In order not to waste our resources, we went ahead with $25,000 just to settle it and move on,” he said. In a brief email, OCR officials told RPP the agency “does not comment on settlement discussions,” and repeated language from the announcement regarding Agape’s alleged “long-standing, systemic noncompliance.”

Nearly nine years passed from the date of the breach to the Agape settlement, seemingly the longest time from an incident to an agreement in OCR’s history. Typically cases are settled within five years or less, and recent ones involving patients accessing their records have been turned around in under two years.[5] It took OCR six years to reach an $800,000 settlement with Park View Health System Inc. of Fort Wayne, Indiana, in a case that, like this one, was marked by fits and starts.[6]

OCR referred to Agape in the settlement documents as Metropolitan Community Health Services Inc., doing business as Agape.[7] Like other FQHCs, it operates on a sliding scale and accepts Medicare and Medicaid as well as commercial insurance plans at its two locations in Eastern North Carolina. It was founded in the city of Washington in 1998 (which is referred to as part of the “Inner Banks”), and added another location in Williamston in 2013.

Metropolitan filed a breach report on June 9, 2011, regarding protected health information (PHI) for 1,263 people that was disclosed “to an unknown email account.” Gray told RPP an unencrypted email was sent to an attorney working for Agape, but the address was wrong, so Agape wasn’t sure where the email went. He said there has never been any evidence of fraud or other misuse associated with the misdirected email.

In its July 24 settlement announcement, OCR said its investigation into the incident “revealed longstanding, systemic noncompliance with the HIPAA Security Rule,” contending that Agape hadn’t conducted “any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.”

Unlike other announcements that sometimes feature especially stern or scolding language, this one was relatively mild and generic in tone. “Health care providers owe it to their patients to comply with the HIPAA Rules,” said OCR Director Roger Severino. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings