The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced an agreement with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), settling allegations that CHCS violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI). This is the first enforcement action that OCR has taken against a “business associate” of a HIPAA-covered entity.

CHCS is a nonprofit organization that provides management and information technology services as a business associate of six nursing homes. These nursing homes reported a data breach to OCR in 2014 after a CHCS employee’s iPhone was stolen. The iPhone was neither encrypted nor protected by a password. The iPhone contained Social Security numbers, names of family members and legal guardians, and information regarding diagnoses, medical procedures, medication, and other treatments for 412 patients.

OCR conducted an investigation and concluded that CHCS failed to conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of e-PHI and failed to implement appropriate security measures to reduce such risks under HIPAA.

As a result of the Resolution Agreement and Corrective Action Plan, CHCS must pay $650,000 in penalties and adhere to a corrective action plan that requires it to:

  • Conduct annual risk assessments and document the measures it takes to reduce those risks;
  • Develop, maintain, and annually review and revise its written policies and procedures to comply with the HIPAA Security Rule; and submit those policies and procedures (and revisions) to HHS for approval;
  • Distribute its policies and procedures to all members of its workforce (and to new members within their first 14 days of work) and require new workforce members to sign a certification form stating they have read, understand, and shall abide by such policies and procedures;
  • Report any event of noncompliance with its HIPAA policies and procedures to HHS;
  • Provide annual training for all workforce members with access to ePHI; and
  • Submit annual compliance reports to OCR.

OCR’s action demonstrates that business associates need to make sure that they have taken appropriate measures to comply with HIPAA. In this case, issues came to OCR’s attention because of a breach. OCR is expected to conduct its first audits of business associates under its new HIPAA audit program this fall, with the possibility that some audits could turn into OCR investigations, even when there has been no breach.

Ballard Spahr’s HIPAA Compliance Team, comprised of attorneys from various disciplines, advises health care providers, health plans, and their business associates on the privacy and security requirements under HIPAA. Our attorneys provide guidance on security rule practices and policies; prepare HIPAA policies, forms, vendor agreements, and other compliance documentation; prepare training tools and conduct HIPAA compliance training; and advise clients about OCR audit requirements.