The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled allegations by the Department of Health and Human Services (HHS) that it violated the Heath Insurance Portability and Accountability Act (HIPAA) Security Rule, agreeing to pay $650,000.  The allegations relate to the theft of a CHCS mobile device that contained the protected health information of 412 nursing home residents.  CHCS is not a “covered entity” under HIPAA, but is a business associate of “covered entities.”  As a result of the HITECH Act of 2009 and HHS’s implementing regulations, key parts of the Security Rule are now directly applicable to business associates ‒ which means even seemingly small violations can lead to hefty fines for companies that provide services to HIPAA covered entities.