On June 24, 2016, the Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a “Resolution Agreement and Corrective Action Plan” to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The agreement requires CHCS to pay a fine of $650,000, in addition to enacting corrective actions to minimize risk of future HIPAA violations.
CHCS provided management services to multiple skilled nursing facilities and, in this capacity, was a HIPAA-designated “Business Associate” of each nursing facility. In April 2014, the Office of Civil Rights (“OCR”), the agency charged with investigating HIPAA violations, began its investigation of CHCS. The investigation stemmed from a voluntary notification to OCR that a CHCS employee’s cellphone was stolen. Although the cellphone was provided by CHCS to the employee for work-related purposes, it was neither password-protected nor contained any data encryption software. Accordingly, anyone in possession of the phone would be able to access HIPAA “Protected Health Information” (“PHI”) for over 400 nursing facility residents. This information included: patient names, names of family members, social security numbers, medical diagnoses, and medication lists.
In its investigation, the OCR was unable to determine if any of this information was ever accessed improperly. Regardless, CHCS faced significant penalties related to its failure to maintain any policies regarding the use of employer-provided cellular phones outside the facility or procedures in the event of a security breach. Additionally, CHCS did not implement HIPAA risk analysis or plan to prevent inadvertent disclosure of PHI.
This case highlights the importance of HIPAA preparation and planning. It is not enough to hope that a HIPAA violation never occurs and take a “we’ll cross that bridge when we come to it mentality.” The failure to implement HIPAA-specific policies and procedures and prepare in advance of a security incident are enough to subject a practice to sanctions.
If you have yet to review your HIPAA compliance policies and procedures in the last year, now is a good time to start. In the unfortunate event that a security incident occurs, having good compliance plans and educated personnel may make a significant difference in the OCR’s investigation and response.