Not having more details than the OCR announcement today leaves us wondering how this case evolved and took so long to reach a corrective action plan. Metropolitan Community Health Services filed a 2011 breach report affecting almost 1,300 patients. Likewise, the $25,000 payment agreement seems like a slap on the wrist given the OCR reports "...Metro failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016..". Regardless, there is something to learn from reading each and every OCR settlement or corrective action plan and we encourage our subscribers to do exactly that.
Click the graphic below to read the original OCR announcement and settlement details.
Stay (HIPAA) safe, Alan -