Last month, leaders from Agape Health Services in rural Washington, North Carolina, were happy to share photos of the shell of a building in neighboring Plymouth, that, within a year, will be transformed as the third location for this federally qualified health center (FQHC). “Here we GROW!” proclaimed the Facebook post. “We’re SUPER excited to be able to serve the citizens of Plymouth…and surrounding areas! Services will include: Primary medical care, dental, behavioral health and an on-site pharmacy!”[1]
Days later, however, Agape was in the news for a different reason: the HHS Office for Civil Rights (OCR) announced that officials had agreed to a $25,000 payment and two-year corrective action plan (CAP) to resolve allegations it wasn’t compliant with the HIPAA security rule until 2016.[2] What was startling about the settlement was the fact that it resulted from a small breach that occurred nine years earlier.
The settlement was just the second OCR released this year, and the amount put it very near the historical bottom for an agency that routinely collects settlements of a million or more. And just days later, OCR announced a $1 million settlement[3] that dwarfed Agape’s.[4]
Yet for Clifton Gray III, the chief compliance officer for Agape, the man who signed that he’ll be responsible for implementing the CAP and submitting all required reports and documents, the $25,000 stung. In fact, Gray—who spoke exclusively to RPP—said the payment was “devastating” to the health center. Still, it was better than what he said OCR first proposed—a fine of $400,000 that would have “forced us to close.”
No Known Harm From 2011 Breach
Gray told RPP that what gives him “indigestion” is that OCR officials were not willing to consider Agape’s more recent compliance history. “I don't think it’s fair for us to be held accountable for something that stemmed from 2011,” said Gray. Agape signed the agreement with OCR to avoid a more costly court battle. “In order not to waste our resources, we went ahead with $25,000 just to settle it and move on,” he said. In a brief email, OCR officials told RPP the agency “does not comment on settlement discussions,” and repeated language from the announcement regarding Agape’s alleged “long-standing, systemic noncompliance.”
Nearly nine years passed from the date of the breach to the Agape settlement, seemingly the longest time from an incident to an agreement in OCR’s history. Typically cases are settled within five years or less, and recent ones involving patients accessing their records have been turned around in under two years.[5] It took OCR six years to reach an $800,000 settlement with Park View Health System Inc. of Fort Wayne, Indiana, in a case that, like this one, was marked by fits and starts.[6]
OCR referred to Agape in the settlement documents as Metropolitan Community Health Services Inc., doing business as Agape.[7] Like other FQHCs, it operates on a sliding scale and accepts Medicare and Medicaid as well as commercial insurance plans at its two locations in Eastern North Carolina. It was founded in the city of Washington in 1998 (which is referred to as part of the “Inner Banks”), and added another location in Williamston in 2013.
Metropolitan filed a breach report on June 9, 2011, regarding protected health information (PHI) for 1,263 people that was disclosed “to an unknown email account.” Gray told RPP an unencrypted email was sent to an attorney working for Agape, but the address was wrong, so Agape wasn’t sure where the email went. He said there has never been any evidence of fraud or other misuse associated with the misdirected email.
In its July 24 settlement announcement, OCR said its investigation into the incident “revealed longstanding, systemic noncompliance with the HIPAA Security Rule,” contending that Agape hadn’t conducted “any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.”
Unlike other announcements that sometimes feature especially stern or scolding language, this one was relatively mild and generic in tone. “Health care providers owe it to their patients to comply with the HIPAA Rules,” said OCR Director Roger Severino. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”