Summary

On June 30, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that a business associate providing management services to nursing homes in the Philadelphia, Pa. region agreed to pay $650,000 and enter into a corrective action plan (“CAP”) relating to alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The OCR began investigating the Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) after the OCR received notices from six nursing homes due to a breach of unsecured electronic protected health information (“PHI”) by CHCS.  The breach resulted from the theft of a CHCS employee’s company-issued iPhone.  The iPhone was not encrypted or password-protected.  The breach affected 412 nursing home residents.  According to the OCR press release announcing the HIPAA settlement, the “information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.”

The OCR’s investigation revealed that at the time of the breach CHCS had no (i) policies or procedures addressing the removal of mobile devices containing PHI from CHCS’ offices; (ii) policies or procedures addressing security incidents; or (iii) risk analysis or risk management plan.

The OCR stated in its press release that, “In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.”  The OCR did not elaborate on this comment.  One possible inference is that the OCR might require a higher resolution amount from another entity for a similar HIPAA issue.

Under the terms of the CAP entered into with the OCR, CHCS is required to do the following:

• Conduct an accurate and thorough risk assessment within 120 days and annually thereafter and document the security measures implemented by CHCS to “sufficiently reduce the identified risks and vulnerabilities [to the electronic PHI held by CHCS] to a reasonable and appropriate level.”
• Develop, maintain and revise its policies and procedures to comply with the HIPAA Security Rule.  The policies and procedures must be submitted to OCR for approval.
• Once approved by the OCR, distribute the new and revised policies to all workforce members and require workforce members to sign a compliance certification.
• Provide security training for each of its workforce members who has access to electronic PHI.
• Submit a series of three reports to the OCR detailing CHCS’s compliance with the CAP.  The first report is due within 60 days of OCR’s approval of CHCS’s Security Rule policies and procedures.  Thereafter, CHCS must submit a report each year of the CAP.

The resolution agreement and CAP are available here.  

Important Takeaways

The OCR continues to emphasize the importance of HIPAA compliance generally, and Security Rule compliance specifically.  Covered entities and business associates must conduct enterprise-wide risk assessments and implement security management programs to ensure HIPAA compliance.

Recent OCR settlement agreements demonstrate that failure to comply with HIPAA can have costly financial consequences, generate negative publicity, and result in OCR monitoring.  Saul Ewing regularly writes about the OCR HIPAA settlements, the most recent of which may be found here.