On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.1 As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).
Background
CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a "business associate" under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.
CAP Requirements
In addition to the $650,000 payment, CHCS is required to conduct an initial and annual data security risk assessment and document the security measures it has implemented to sufficiently reduce any identified risks. CHCS must also develop the written policies, procedures, and training required by the Security Rule, provide them to HHS for review and approval, revise them as requested by HHS, and implement the revised policies, procedures, and training.2 CHCS is required to provide the updated policies, procedures, and training to all workforce members and obtain their compliance certification.
To help ensure continued HIPAA compliance, HHS will monitor CHCS's compliance with these CAP requirements for two years. CHCS will need to update its policies and procedures at least annually and provide those updated policies to HHS for review. CHCS must also notify HHS of any workforce noncompliance with its HIPAA-related policies and procedures.
Implications
Since the release of the HIPAA Final Omnibus Rule in early 2013, HHS has held business associates directly responsible for complying with certain HIPAA requirements, including the Security Rule. Although HHS has been slow to bring enforcement actions against business associates, the agency has taken several steps—in addition to this enforcement action against CHCS—signaling much more interest in compliance by business associates.
Earlier this year, HHS highlighted the importance of business associate agreements (BAAs) in two enforcement actions against HIPAA-covered entities (e.g., health care providers, health plans, and health care clearinghouses).3 For example, in its investigation of Raleigh Orthopaedic Clinic, HHS found that the clinic provided protected health information for approximately 17,300 patients to a business associate without a BAA in place. HHS stated that the lack of a BAA meant that sensitive health information was left without certain safeguards and vulnerable to misuse or improper disclosure.
In addition, in March 2016, HHS launched its HIPAA-compliance audit program of covered entities and business associates.4 HHS will first perform desk audits of randomly selected covered entities and expects to perform desk audits of randomly selected business associates thereafter.5
In response to these initiatives, business associates should assess their HIPAA compliance efforts and update their compliance policies and procedures as needed. Doing so sooner rather than later is important, as HHS has indicated that it will require prompt responses to its requests made during its audits—according to HHS, organizations must respond to HHS within 10 business days of its document requests.6
