top of page

A Large Fine for a Small Provider Failing to Implement HIPAA

A small town North Carolina provider is being fined $25,000 for multiple, easily avoidable, HIPAA violations for “longstanding, systemic noncompliance with the HIPAA Security Rule.

Note: The provider is a part of a health center which offers discounted medical services to the underserved population in rural NC, and the fines were reduced in consideration of this still resulting in a significant monetary loss.

In 2011, Metropolitan Community Health Services (Metro), doing business as Agape Health Services, filed a breach report regarding “the impermissible disclosure of protected health information to an unknown email account.” The breach affected over 1,200 patients!

In addition to the large monetary penalty, the practice is required to develop and adopt a corrective action plan (which includes 2 years of thorough monitoring) after the Office for Civil Rights (OCR) discovered that Metro failed to conduct a thorough and comprehensive HIPAA Security Risk Assessment and Analysis. In addition, Metro did not implement a single HIPAA Security Rule Policy and Procedure for the health center. Possibly worst of all, Metro failed to provide workforce members with HIPAA Privacy and Security Awareness training until 2016!

Patients must trust who they share their personal, private and protected health information with, a breach such as this, are obviously devastating for the patient and their doctor’s reputation. How can physicians ensure that they are meeting the HIPAA requirements and have proper safeguards in place to avoid this sort of breach?

Starting with an accurate and thorough Security Risk Assessment and Analysis must be conducted to expose and target any potential administrative, physical, and technical vulnerabilities. Doing so would have highlighted a major flaw in the practice’s administrative and technical safeguards and the importance of policies and procedures and the practice’s need to implement.

Most obviously, the designated HIPAA Privacy and Security Officer must ensure all employees complete HIPAA Workforce training. All employees of the practice, including the physicians, must take HIPAA training to ensure employees have a clear understanding of the HIPAA Privacy rule and actionable policies and procedures.


Healthcare organizations and their vendors have a responsibility to be HIPAA Compliant, and that starts by performing, updating or reviewing an accurate and thorough Security Risk Assessment covering your Technical, Administrative and Physical Safeguards. This will help uncover vulnerabilities and help you understand what information is being transmitted, shared and how.


  • Complete a Security Risk Assessment and establish a Corrective Action Plan that is accurate and thorough. Remediate any potential risks or vulnerabilities.

  • A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information.

  • Develop Actionable policies and procedures that clearly outline disclosures of PHI. Policies and Procedures can be edited and shared directly with staff from your Live Compliance staff portal.

  • Ensure all employees complete and have a clear understanding of the HIPAA Privacy rule and policies and procedures. Completely built into your portal, Live Compliance training is custom, online, and role-based. Trainings are delivered and monitored within your Live Compliance portal, anytime and from anywhere. Easily send and monitor HIPAA training in one click.

Live Compliance provides everything you need to become and maintain your organization's HIPAA Compliance requirements and we make it 10x’s easier than trying to do it on your own.

Take advantage of our Organization Needs Assessment to understand your immediate compliance needs! Contact Jim Johnson at or at (980) 999-1585 or



bottom of page