OCR Announces First HIPAA Enforcement Action against a Business Associate

Ballard Spahr LLP

Ballard Spahr LLP

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced an agreement with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), settling allegations that CHCS violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI). This is the first enforcement action that OCR has taken against a "business associate" of a HIPAA-covered entity.

CHCS is a nonprofit organization that provides management and information technology services as a business associate of six nursing homes. These nursing homes reported a data breach to OCR in 2014 after a CHCS employee’s iPhone was stolen. The iPhone was neither encrypted nor protected by a password. The iPhone contained Social Security numbers, names of family members and legal guardians, and information regarding diagnoses, medical procedures, medication, and other treatments for 412 patients.

OCR conducted an investigation and concluded that CHCS failed to conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of e-PHI and failed to implement appropriate security measures to reduce such risks under HIPAA.

As a result of the Resolution Agreement and Corrective Action Plan, CHCS must pay $650,000 in penalties and adhere to a corrective action plan that requires it to:

  • Conduct annual risk assessments and document the measures it takes to reduce those risks;
  • Develop, maintain, and annually review and revise its written policies and procedures to comply with the HIPAA Security Rule; and submit those policies and procedures (and revisions) to HHS for approval;
  • Distribute its policies and procedures to all members of its workforce (and to new members within their first 14 days of work) and require new workforce members to sign a certification form stating they have read, understand, and shall abide by such policies and procedures;
  • Report any event of noncompliance with its HIPAA policies and procedures to HHS;
  • Provide annual training for all workforce members with access to ePHI; and
  • Submit annual compliance reports to OCR.

OCR's action demonstrates that business associates need to make sure that they have taken appropriate measures to comply with HIPAA. In this case, issues came to OCR's attention because of a breach. OCR is expected to conduct its first audits of business associates under its new HIPAA audit program this fall, with the possibility that some audits could turn into OCR investigations, even when there has been no breach.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.