On June 24, 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a resolution agreement with the Department of Health and Human Services Office for Civil Rights (“OCR”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule after the theft of a CHCS mobile device compromised the protected health information (“PHI”) of 412 nursing home residents. This is OCR’s first settlement with a HIPAA business associate. As part of the settlement, CHCS agreed to enter into a two-year corrective action plan (“CAP”) and pay a monetary penalty of $650,000.
CHCS provides management and information technology services as a business associate to six skilled nursing facilities that it formerly owned. OCR initiated its investigation of CHCS on April 17, 2014, after receiving separate notification from each of the six skilled nursing facilities in February 2014 that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee smart phone. According to OCR, the smart phone was unencrypted and was not password protected. The information on the smart phone included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.
OCR’s investigation revealed that, from September 23, 2013, the compliance date of the Security Rule for business associates, until the present, CHCS failed to (1) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS in accordance with 45 C.F.R. § 164.308(a)(1)(ii); and (2) implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule. Specifically, at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing electronic PHI from its facility and no risk analysis or risk management plan to address what to do in the event of a security incident.
This is the first HIPAA noncompliance settlement that OCR has entered into with a business associate since the enactment of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) first made business associates directly liable under HIPAA in 2009. Now that OCR has commenced enforcement against business associates and given that the second round of HIPAA compliance audits includes such entities, companies that are regulated as business associates should renew their efforts to ensure compliance with HIPAA. As OCR noted in its press release, a risk assessment and risk management plan are cornerstones of compliance with the HIPAA Security Rule. Multiple settlements have been reached with covered entities for failure to perform a risk assessment. As a result, it would be reasonable to expect that OCR’s action against CHCS will be the first of many settlements with business associates related to this issue.