July 13, 2016
Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 1 the Department of Health & Human Services, Office for Civil Rights (OCR), announced June 30 that it has entered into its first resolution agreement with a HIPAA Business Associate – sending a clear message that OCR is holding Business Associates accountable and expects these entities to understand and comply with their HIPAA obligations.

The resolution agreement is with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for potential violations of the HIPAA Security Rule and includes a monetary resolution payment of $650,000 and a corrective action plan (CAP). According to OCR’s press release, CHCS provided management and information technology services to six skilled nursing facilities.  At the time of the incident, CHCS was also the sole corporate parent of those facilities. In April 2014, OCR initiated an investigation after receiving separate notification from each of the six skilled nursing facilities that CHCS had experienced a breach of protected health information (PHI) when a CHCS-issued employee iPhone was stolen. Significantly, the iPhone was unencrypted and was not password protected. The PHI on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information of 412 individuals. At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also found that CHCS had no risk analysis or risk management plan. 

To view the full alert, click here.