OCR Announces $650,000 HIPAA Settlement Related to Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI

On June 30, 2016, Department of Health and Human Services’ Office for Civil Rights announced a $650,000 settlement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The press release indicates that CHCS was a business associate of six skilled nursing facilities for which it provided management and information technology services.

CHCS experienced a breach when a CHCS-issued employee iPhone was stolen. The press release indicates that the iPhone, which was unencrypted and not password protected, contained social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. A total of 412 individuals were affected by the combined breach. At the time of the breach, CHCS did not have HIPAA policies addressing the removal of mobile devices containing PHI from its facility or what steps were to be taken in the event of a HIPAA security incident.   OCR also found that CHCS had not conducted a risk analysis or developed a risk management plan.

In addition to the $650,000 monetary settlement, CHCS agreed to a corrective action plan. As part of its corrective action plan, CHCS is required to develop and maintain written policies and procedures necessary to comply with the HIPAA Security Rule. Notably, the corrective action plan expressly requires policies and procedures addressing (but not limited to) the following:

  • Encryption of ePHI
  • Password management
  • Security incident response
  • Mobile device controls
  • Information system review
  • Security reminders
  • Log-in monitoring
  • Data backup plan
  • Disaster recovery plan
  • An emergency mode operation plan
  • Testing and revising of contingency plans
  • Applications and data criticality analysis
  • Automatic log off
  • Audit controls
  • Integrity controls.

This settlement serves as an important reminder to business associates that they are required to implement the protections of the HIPAA Security Rule for the electronic PHI they create, receive, maintain, or transmit from covered entities. This includes conducting a risk analysis and developing a corresponding risk management plan.

If you need assistance with the development of or update to HIPAA privacy or security policies, please contact one of our attorneys. We assist covered entities and business associates alike with the development of HIPAA policies to ensure compliance with the requirements of the Privacy and Security Rules. We work directly with providers and business associates to tailor policies in a way that works for your specific organization. If you have concerns about the uncertain costs of hiring an attorney to assist with HIPAA policies, please contact us to discuss the flat fee options available.

Speak Your Mind