Metropolitan Community Health Services, a Williamston, N.C.-based federally qualified health center that does business as Agape Health Services, has agreed to pay HHS' Office for Civil Rights $25,000, the agency announced Thursday.
The fine settles multiple alleged HIPAA violations.
However, OCR officials said they considered Agape Health Services' status as a small healthcare provider that provides discounted medical services to underserved, rural populations when reaching a settlement agreement.
Agape Health Services in 2011 alerted OCR about a data breach that affected protected health information of 1,263 patients. OCR's subsequent investigation revealed "longstanding, systemic noncompliance with the HIPAA Security Rule," according to the agency, including failure to conduct thorough risk analyses and, until 2016, not providing adequate security awareness training to staff.
In addition to the monetary settlement, Agape Health Services will implement a corrective action plan that includes HHS monitoring its HIPAA compliance for two years.
"Healthcare providers owe it to their patients to comply with the HIPAA Rules," said OCR Director Roger Severino in a statement. "When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information."
Agape Health Services did not return a request for comment.
While $25,000 may seem like a relatively small fine, it speaks to OCR's commitment to considering "the nature of the organization and their ability to pay," said Marti Arvin, an executive adviser at cybersecurity consulting firm CynergisTek.
Some recent HIPAA settlements have numbered in the millions.
"$25,000 doesn't seem like a very large settlement amount, but I'm sure for an organization this size that isn't an inconsequential number," Arvin said. There's also costs associated with complying with the corrective action plan.
Small hospitals tend to lack resources for dedicated cybersecurity staff, making them more vulnerable to cyberattacks, according to a report Moody's Investors Service released last year.
That's something Keith Swiat, senior architect in consulting firm West Monroe's technology practice, said he's noticed while working on mergers and acquisitions of small health clinics.
"They tend to run very lean," Swiat said. "Just like any small business, people are really busy keeping the shop running."
Small providers often don't have a dedicated lead for compliance and cybersecurity, leading them to fall behind on keeping up-to-date on best practices for securing data and conducting annual risk assessments, Swiat said. Providers, of any size, shouldn't overlook setting up policies and procedures that follow HIPAA and then regularly documenting compliance with them.
HIPAA "is a very governance-heavy framework," Swiat said. "It takes strategy, foresight and money to be able to implement all the controls that HIPAA requires."