Business associate agrees to $650,000 HIPAA fine

A Pennsylvania-based business associate (BA) agreed to a $650,000 HIPAA settlement stemming from the theft of a mobile device in 2014, HHS said in a statement released June 30.

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) provided management and IT services to, and was the sole corporate parent of, six nursing homes. In February 2014, HHS received six separate notifications from each of CHCS’ nursing homes informing the agency that a breach of unsecure electronic protected health information (e-PHI) occurred when an employee’s CHCS-issued iPhone was stolen. The iPhone was not encrypted or password protected and contained the PHI of 412 individuals. The PHI included:

• Social Security numbers
• Diagnosis and treatment information
• Medication information
• Names of family members and legal guardians

The Office for Civil Rights’ (OCR) investigation discovered that CHCS did not conduct an accurate organizationwide risk analysis from September 23, 2013, the compliance date of the Security Rule for BAs, up to the present, according to the corrective action plan (CAP). CHCS therefore had no risk management plan and took no measures to reduce the risks to and vulnerability of e-PHI to acceptable levels. The investigation also found that CHCS had no policy addressing the removal of mobile devices from its facilities and no security incident response plan.

In addition to the fine, CHCS has 120 days to conduct a risk analysis and create a risk management plan based on the results of the analysis. OCR will continue to monitor CHCS for two years to ensure it follows the CAP.

In its statement, HHS used the opportunity to reinforce BAs’ obligations under HIPAA and demonstrate the agency’s willingness to take strong action against BAs who fail to follow HIPAA. The agency suggested that CHCS’s fine could have been even higher; however, the role CHCS plays in delivering care to at-risk individuals, including the elderly, individuals living with HIV/AIDS, young adults transitioning from foster care, and developmentally disabled individuals, was taken into consideration.

This is the second time this year OCR has reached a HIPAA settlement fine with a BA. In March, North Memorial Health Care of Minnesota agreed to pay a $1.5 million settlement.

OCR recently released an alert on covered entities’ (CE) and BAs’ responsibility to maintain security incident response plans. The alert, sent to OCR listserv subscribers on July 7, detailed points CEs and BAs must consider when creating security incident response plans, such as technical standards and staff who should be on the security incident response team. Additional information on breach notification responsibilities and guidance can be found on HHS’ website. CEs and BAs should refer to the National Institute of Standards and Technology special publications for specific cybersecurity standards and guidelines.