For the first time, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has entered into a Resolution Agreement with a business associate over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI). This first settlement likely portends future enforcement actions against business associates for perceived HIPAA violations.

On June 24, 2016, OCR agreed to settle with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provided management and information technology services to its six nursing homes as a business associate. OCR alleged that CHCS potentially violated the HIPAA Security Rule after a CHCS-issued employee smartphone containing nursing home residents’ ePHI was stolen.

Specifically, the smartphone – which was not protected by a password or encryption – contained extensive information on 412 nursing home residents, including Social Security numbers, diagnosis and treatment information, and medical procedures. Additionally, CHCS allegedly did not have policies addressing the removal of mobile devices that contain ePHI, had not undertaken a risk analysis, and did not have a risk management plan in place at time of the theft.

As part of the settlement, CHCS agreed to pay $650,000 and adhere to a two-year corrective action plan requiring the business associate to: conduct annual risk assessments; develop, maintain, and revise its policies and procedures to address a number of Security Rule requirements, including encryption of ePHI, audit controls, integrity controls, log-in monitoring, and password management; provide training for all workforce member with access to ePHI; and submit annual compliance reports to OCR, among other provisions.

The Takeaways: What Does this Mean for Other Business Associates?

It seemed only a matter of time for an OCR settlement with a business associate. OCR settlement agreements often come two to three years after an initial incident, providing time for agency investigation. Since OCR first began holding business associates directly liable under HIPAA starting in September 2013, it was likely that the first settlement agreement with a business associate would come around this time close to 3 years later. But it is safe to say that we will begin to see settlements with business associates interspersed with covered entity settlements in the coming years. Accordingly, business associates should view the CHCS settlement as a shot across the bow that OCR will continue to scrutinize business associates’ HIPAA compliance in the future.

In the meantime, here are the main takeaways for business associates from the CHCS settlement:

  • The settlement amount was shaped by size and services of the business associate. In OCR’s HIPAA enforcement actions from 2008 through June 10, 2016, the average settlement amount was about $1 million. This settlement was significantly less at $650,000. The press release suggests that this may have been because of the business associate’s non-profit status, with any higher settlement amount potentially interfering with CHCS’ ability to continue to serve vulnerable and underserved populations. CHCS’ corrective action plan timeline is consistent with the average plan length of two years that we have previously seen. It seems likely that the settlement would have been at or more than the average if the business associate was a larger, for-profit entity.
  • Consistent with past covered entity settlements, this case focused on the absence of risk analysis and risk management. Once again, OCR is sounding the alarm for the need for a risk analysis. From the press release’s description and the CAP requirements, OCR likely could have alleged other categories of violations.