It’s a HIPAA first.

A business associate has settled a direct enforcement action over allegations that it potentially violated HIPAA. We can expect future HIPAA enforcement actions against business associates.

What Happened? It all started with the theft of a smart phone.

On June 24, 2016, the U.S. Department of Health & Human Services OCR entered into a resolution agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides, as a business associate, management and information technology services to its six nursing homes. The theft of an employee’s CHCS-issued smartphone triggered the investigation.

The unencrypted smartphone contained information on 412 nursing home residents, including Social Security numbers, diagnosis and treatment information, and medical procedures. In addition to the loss of the smartphone CHCS allegedly:

  1. Did not have policies addressing the removal of mobile devices that contain electronic protected health information (ePHI);
  2. Had not undertaken a risk analysis; and
  3. Did not have a risk management plan in place at time of the theft.

The Settlement?

CHCS agreed to pay $650,000 and adhere to a two-year corrective action plan. The corrective action plan requires the business associate to:

  1. Conduct a risk analysis on an annual basis;
  2. Develop, maintain, and revise its policies and procedures to address a number of HIPAA security requirements, including encryption of ePHI, audit controls, integrity controls, log-in monitoring, and password management;
  3. Provide training for all workforce with access to ePHI; and
  4. Submit annual compliance reports to OCR, among other provisions.

Why Now?

It was only a matter of time before a business associate was targeted for a HIPAA settlement. OCR settlement agreements tend to arise two to three years after the breach incident that caught OCR’s attention, providing time for agency investigation and negotiations. Since OCR first began holding business associates directly liable under HIPAA in September 2013, it seemed likely that the first settlement agreement with a business associate would come around this time, close to three years later. OCR already has taken enforcement actions against covered entities related to their business associates, usually related to a lack of a business associate contract. It is safe to say that we will begin to see settlements with business associates interspersed with covered entity settlements in the coming years.

To find out what this means for Business Associates and the lessons learned, check out ITPAC’s blog.