Last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced the first HIPAA settlement involving a business associate. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit organization that provides management and information technology services to six wholly-owned skilled nursing facilities, agreed to pay $650,000 and enter into a corrective action plan to settle potential violations of HIPAA arising out of the theft of a CHCS-issued smartphone.  The phone was not encrypted or password protected and contained detailed and sensitive health information of over four hundred nursing home residents.

OCR’s investigation arose out of separate notifications from CHCS’ nursing homes regarding CHCS’ breach of unsecured protected health information (PHI). OCR’s investigation revealed that CHCS had no policies addressing security incidents, including stolen mobile devices containing PHI. OCR also determined that CHCS had not conducted a  security risk analysis, nor had it implemented appropriate security measures to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.  Under the corrective action plan, CHCS will have to:

• perform a risk analysis and implement a risk management plan based on that risk analysis;
• provide OCR with copies of all of its business associate agreements and management services agreements with all covered entities for whom it acts as a business associate within fourteen days of the effective date of the corrective action plan; and
• provide an attestation from an owner or officer of CHCS stating that all documentation submitted to OCR addresses all covered entities for whom CHCS acts as a business associate and that the information is accurate and truthful.

The OCR press release announcing the settlement noted that when determining the settlement amount, OCR considered that CHCS provides “unique and much-needed services in the Philadelphia region” to particularly vulnerable populations. This suggests that the settlement amount could have been much higher. However, the settlement amount is significant, especially considering the additional costs involved in implementing the corrective action plan.

This settlement serves as a wake-up call to business associates that OCR will pursue enforcement action against those who fail to implement the measures required by the HIPAA Security Rule to protect electronic PHI. In light of this settlement and the ongoing wave of OCR HIPAA audits, business associates should:

• conduct a risk analysis as required by the HIPAA Security Rule and implement a risk management plan;
• implement (or update) policies addressing the elements identified in the HIPAA Security Rule, including but not limited to mobile device controls, encryption of electronic PHI, and password management;
• implement or update their security incident response plans; and
• ensure that they have business associate agreements with all covered entities from whom or on whose behalf they transmit, receive, create or maintain electronic PHI.