The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality. On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.
This is the first settlement of this kind with a business associate. If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant.According to OCR officials, at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing protected health information from its facility or what to do in the event of a security incident. It was also determined that that CHCS did not have a risk analysis or risk management plan in place.
Pursuant to the corrective action plan set forth in the settlement agreement, OCR will monitor CHCS for a period of two (2) years and CHCS will be required conduct an annual risk analysis and implement numerous policies and procedures to ensure that CHCS complies with the Federal standards that govern the security of individually identifiable health information. In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
While the settlement agreement with CHCS, as a business associate, may be the first of its type, it will not be the last as OCR continues to audit and investigate business associates for compliance with HIPAA requirements. If business associates are not already prepared, it is important that they quickly make strides to ensure that the policies and procedures adopted and employed by their companies meet the standards and implementation specifications of the Security, and Breach Notification Rules. The bottom line is business associates must be prepared.