In July, the HHS Office for Civil Rights (OCR) reached a $25,000 settlement with Agape Health Services, a federally qualified health center in rural Washington, North Carolina,[1] after initially proposing a $400,000 fine,[2] Clifton Gray III, the chief compliance officer for Agape, told Report on Patient Privacy, RMC’s sister publication. Even at $25,000, the payment—accompanied by a two-year corrective action plan—was “devastating,” Gray said.
What so irked Gray was that OCR’s investigation was triggered by a small email breach that had happened 11 years earlier, and that the agency refused to base the settlement on Agape’s current state of compliance. OCR said Agape had been noncompliant until 2016.