Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that CHCS violated the HIPAA Security Rule, which requires business associates to conduct enterprise-wide security risk analyses and to prepare corresponding risk management plans.

OCR initiated its investigation upon notification by CHCS of the theft of an employee’s unencrypted company iPhone containing Social Security numbers, diagnosis and treatment information, medications, and names of family members and legal guardians. This resulted in separate notifications from each of the six nursing homes regarding a breach of e-PHI, which, according to OCR, affected some 412 individuals.

OCR identified CHCS’s violations of HIPAA as the failure to:

  • Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS; and
  • Implement appropriate security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.

Such violations were limited to the compliance date for business associates under the HIPAA Security Rule of September 23, 2013.

Under the CAP, CHCS will be required to conduct a security risk analysis, implement a risk management plan, revise its policies and procedures, and provide the business associate and management agreements for all entities for which CHCS acts as a business associate. Additionally, CHCS will provide OCR with security training materials for all of its workforce members who have access to e-PHI, as well as annual reports attesting to CHCS’s compliance with the terms of the CAP.

The CHCS settlement demonstrates the continued focus by OCR on security risk analyses and risk management plans. More importantly, it underscores OCR’s expectations that business associates establish and implement policies and procedures in accordance with their HIPAA obligations. We recommend that covered entities and their corporate parent entities review their HIPAA structures to determine any business associate agreements or other designations that are required for the sharing of PHI among the entities. Further, each of these entities must address their own HIPAA obligations, including security risk analyses and risk management plans.