- The latest OCR HIPAA settlement further underscores that business associates (BAs) need to ensure that they are adhering to the same data security standards as covered entities.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 as part of its settlement, and is also required to conduct a thorough risk analysis to ensure that it is properly implementing and documenting security measures.
CHCS provided management and information technology services as a BA to six skilled nursing facilities. The OCR investigation and subsequent settlement occurred after OCR received separate notifications in February 2014 from all six of CHCS’ nursing homes that a mobile device had been stolen, potentially compromising 412 individuals’ information.
Furthermore, OCR found that from the compliance date of the HIPAA Security Rule to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”
The BA also did not “implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply” with the HIPAA Security Rule.
OCR Director Jocelyn Samuels explained in a statement that BAs need to implement necessary protections to keep any ePHI they create, receive, maintain, or transmit from covered entities secure.
“This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule,” Samuels stated.
The stolen employee phone was a CHCS-issued iPhone, which was unencrypted and not password protected. Data on the device included Social Security numbers, information regarding diagnoses and treatment, medical procedures, family member and legal guardian names, and medication information.
“In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS,” OCR said. “OCR will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a Business Associate.”
Per the agreement, CHCS must also annually assess, update, and revise its security policies and procedures as necessary. It is also important that all CHCS workforce members are educated on any changes, according to OCR, and will receive new compliance certifications if needed.
“CHCS shall not involve any member of its workforce in the access of electronic protected health information (“ePHI”) if that workforce member has not signed or provided the written or electronic certification required…” the agreement reads.
Unfortunately, this is not the first OCR HIPAA settlement this year that involved a BA. In March, Minnesota-based North Memorial Health Care agreed to a $1.5 million settlement after it had failed to obtain a business associate agreement.
In that case, a North Memorial vendor laptop was stolen, potentially exposing the PHI for almost 10,000 patients. However, the hospital did not have a signed business associate agreement to show that the vendor was indeed a BA.