Six figure HIPAA settlement a harsh reality check for Business Associates

Catholic Health Care Services (CHCS), a Pennsylvania based company that provides management and information technology services as a business associate to six skilled nursing facilities, has been ordered to pay $650,000 to settle HIPAA violations connected to the theft of an employee’s iPhone.

The incident compromised the PHI of 412 nursing home residents – including Social Security numbers, diagnosis and treatment details, medical procedures, names of family members and legal guardians, and medication information – and occurred because the information contained on the phone was unencrypted and not password protected.

Additionally, after further investigation, OCR found that CHCS failed to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI.”

Whatsmore, the company also failed to “implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule.”

The general requirements of § 164.306(a) require covered entities and business associates to do the following:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
4. Ensure compliance with this subpart by its workforce.

In addition to the six figure settlement, CHCS has agreed to comply with a Corrective Action Plan, which involves a number of remedial actions related to the failure to adhere to the above requirements. These actions include, but are not limited to:

• Conduct and document annual risk analysis and risk management audits.
• Develop, maintain, and revise policies and procedures to comply with the HIPAA Security Rule.
• Distribute policies and procedures to all employees within 30 days of HHS approval, and obtain confirmation that all have read, understand, and shall abide by the policies and procedures.
• Report any failures to comply with policies and procedures to HHS within 30 days.
• Provide HHS with copies of its business associate agreements with all covered entities for whom it acts as a business associate.
• Provide HHS with security training materials for all employees that have access to ePHI within 60 days of the Effective Date.

You can read the Resolution agreement and Corrective Action Plan between HHS and CHCS in full here.

Business associates need to take HIPAA seriously

This incident should serve as a stark reminder to business associates that HIPAA compliance is an extremely serious matter, and further highlights the need for business associates to ensure they are adhering to the same stringent security standards as HIPAA covered entities.

With the Phase 2 HIPAA audits currently underway, there’s no time like the present for business associates and HIPAA covered entities to familiarize themselves with HIPAA’s Privacy, Security and Breach Notification rules, ensure policies and procedures are up to date, and that HIPAA compliance is ingrained within every member of the organization. As the CHCS case has highlighted, there is zero room for error when it comes to HIPAA compliance and the consequences of noncompliance can be disastrous.