Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to pay a $650,000 settlement with corrective action plan for violations of the HIPAA Security Rule. This is the highest fine levied against a Business Associate in the history of HIPAA enforcement.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated CHCS after the organization reported the theft of an employee’s iPhone containing the protected health information (PHI) of 412 patients. CHCS is a Business Associate that provides management and IT services to six different nursing facilities.
A Business Associate is defined as any organization that encounters or handles PHI over the course of the work they’ve been hired to complete by a Covered Entity (examples include: billing firms, shredding companies, attorneys, EHR platforms, cloud-storage services, and IT providers to name a few). Business Associates have been required to be compliant with federal HIPAA regulation since the HIPAA Omnibus Rule was passed in 2013.
OCR launched its investigation on April 17, 2014. Over the course of the investigation, OCR discovered that CHCS had no policies in place to control the movement of mobile devices containing PHI off of the facility. Additionally, there were no policies or procedures in place on how to deal with security incidents.
The stolen iPhone was unencrypted and was not password protected. It reportedly contained extensive amounts of sensitive information, including social security numbers, data on diagnosis and treatment, medical procedures, the names of related family members and legal guardians, and patients’ medication history. OCR investigators also discovered that the organization had no risk analysis or risk management plan in place throughout their organization.
OCR Director, Jocelyn Samuels, made it clear that: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information [ePHI] they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
Fines and the Future of HIPAA Enforcement for BAs
The fine comes out to roughly $1,578 per incident–relatively low on the fine schedule for HIPAA violations which range from $100-$50,000 per incident. OCR has said that they “considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.”
So the fines, in this instance, were curbed slightly due to the scope of the services that CHCS provides. The fines for the violations could have been significantly higher if OCR had decided to pursue stricter punishments. The CHCS investigation should be a red flag to all HIPAA-beholden Business Associates: OCR’s investigative reach is growing.
With OCR investigations of HIPAA violations and data breaches becoming more and more common across the health care industry, the future of HIPAA enforcement is rapidly changing. The days of large hospitals and insurance companies being the primary targets for HIPAA audits are over. Business Associates and Covered Entities of all sizes must begin preparing for this world of stricter enforcement in order to protect the privacy of their patients and the reputation of their business.