July 13, 2016

Entity Fined $650,000 in First HIPAA Settlement with a Business Associate

+ Follow Contact

Send

Embed

The possibility of business associates potentially being audited, investigated, and ultimately fined is now a reality. On June 24, 2016, the United States Department of Health and Human Services’ Office of Civil Rights (“OCR”) entered into an agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) for $650,000 to settle potential HIPAA violations related to the theft of a CHCS iPhone that contained the protected health information of 412 nursing home residents.

This is the first settlement of this kind with a business associate. If there was ever a question as to how diligent business associates must be in implementing a HIPAA compliant program that includes the management of mobile devices used to transmit protected health information, this settlement makes it clear that business associates should be very vigilant. According to OCR officials, at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing protected health information from its facility or what to do in the event of a security incident. It was also determined that that CHCS did not have a risk analysis or risk management plan in place.

Pursuant to the corrective action plan set forth in the settlement agreement, OCR will monitor CHCS for a period of two (2) years and CHCS will be required conduct an annual risk analysis and implement numerous policies and procedures to ensure that CHCS complies with the Federal standards that govern the security of individually identifiable health information. In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.　

While the settlement agreement with CHCS, as a business associate, may be the first of its type, it will not be the last as OCR continues to audit and investigate business associates for compliance with HIPAA requirements. If business associates are not already prepared, it is important that they quickly make strides to ensure that the policies and procedures adopted and employed by their companies meet the standards and implementation specifications of the Security, and Breach Notification Rules. The bottom line is business associates must be prepared.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

Written by:

Parker Poe Adams & Bernstein LLP

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Breach Notification Rule

+ Follow

Business Associates

+ Follow

Corrective Actions

+ Follow

Department of Health and Human Services (HHS)

+ Follow

Fines

+ Follow

Health Care Providers

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

HIPAA Breach

+ Follow

Mobile Device Management

+ Follow

OCR

+ Follow

PHI

+ Follow

Settlement Agreements

+ Follow

General Business

+ Follow

Consumer Protection

+ Follow

Health

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Parker Poe Adams & Bernstein LLP on:

Entity Fined $650,000 in First HIPAA Settlement with a Business Associate

Related Posts

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Parker Poe Adams & Bernstein LLP on:

"My best business intelligence, in one easy email…"