On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS). This is HHS’ first resolution agreement and monetary penalty against a business associate (BA) under HIPAA.
CHCS provides management and IT services to nursing facilities as a BA. The alleged HIPAA violations arose from theft of a CHCS mobile device, compromising 412 nursing home residents’ protected health information (PHI). HHS’ investigation results indicate that CHCS failed to (1) conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI, and (2) implement appropriate security measures to reduce such risks and vulnerabilities, in violation of HIPAA’s Security Rule.
Under the settlement, CHCS has agreed to pay HHS $650,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires CHCS to conduct an accurate and thorough security risk assessment; develop, maintain, and implement comprehensive security policies and procedures; educate its workforce on such policies and procedures and train them on security issues; report internal violations of its security policies and procedures to HHS; provide copies of its BA agreements to HHS; maintain compliance records for a period of 6 years; and submit annual compliance reports to HHS.
HHS continues to ramp-up its HIPAA enforcement activities. This case is surely just the first of many enforcement actions against BAs, especially since HHS will start conducting its HIPAA compliance audits of select BAs this fall under Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program (previously discussed on Arent Fox’s Health Care Counsel blog here, here, and here). As a result, businesses that provide goods and services to covered entities (and to BAs) and may come into contact with PHI should carefully assess whether they are subject to HIPAA as a BA. If so, they should have a rigorous HIPAA compliance program in place.