A small community health service organization was subject to a $25,000 fine and required to enter into a corrective action plan as part of a settlement for a breach of the HIPAA Security Rule. Metropolitan Community Health Services is a federal qualified health center providing discounted medical services to the underserved in rural North Carolina.
The Agreement with the Office for Civil Rights stemmed from a June 2011 breach report identifying the disclosure of protected health information to an unknown email account. The breach related to 1,263 patients. Investigation revealed that Metro did not comply with the Security Rule and didn’t train employees about HIPAA until 2016. The resolution agreement and corrective action plan may be accessed by clicking here.