Entity Fined $650,000 in First HIPAA Settlement with a Business Associate

The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality.  On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.

This is the first settlement of this kind with a business associate.  If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant.According to OCR officials, at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing protected health information from its facility or what to do in the event of a security incident.  It was also determined that that CHCS did not have a risk analysis or risk management plan in place.

Pursuant to the corrective action plan set forth in the settlement agreement, OCR will monitor CHCS for a period of two (2) years and CHCS will be required conduct an annual risk analysis and implement numerous policies and procedures to ensure that CHCS complies with the Federal standards that govern the security of individually identifiable health information.  In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS. 

While the settlement agreement with CHCS, as a business associate, may be the first of its type, it will not be the last as OCR continues to audit and investigate business associates for compliance with HIPAA requirements.  If business associates are not already prepared, it is important that they quickly make strides to ensure that the policies and procedures adopted and employed by their companies meet the standards and implementation specifications of the Security, and Breach Notification Rules.  The bottom line is business associates must be prepared.

Read More: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html

Chara O'Neale

Chara O'Neale

Chara O’Neale focuses her practice primarily on the representation of hospitals, physician groups and other health care providers in the resolution of legal, regulatory and business issues for entities involved in the health care industry.

More Posts

Share This Article Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Email this to someonePrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *