The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has agreed to settle the case against Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for $650,000. CHCS has agreed to a corrective action plan and will pay the financial penalty to the OCR to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), without admission of liability.
In February 2014, the OCR received six separate breach notices from six skilled nursing facilities following the theft of an unencrypted portable device. The device had been stolen from CHCS – a business associate of the nursing facilities – and it contained the ePHI of 412 patients.
The device, which was an unencrypted iPhone, had been issued to a CHCS employee. The device could be accessed without a password. Patient data stored on the device included names, Social Security numbers, medical procedures, medical diagnoses, details of medications that had been prescribed, treatment information, and the names of guardians and family members of patients.
CHCS provides IT and management services to the nursing facilities. Since CHCS is a business associate of a HIPAA covered entity and is required to access the ePHI of nursing facility patients, it is required to comply with HIPAA Rules.
However, since the compliance date of the HIPAA Security Rule, CHCS had failed to conduct an accurate and comprehensive risk analysis. Consequently, the confidentiality, integrity, and availability of ePHI was placed at risk.
Additionally, CHCS had not implemented safeguards to reduce the risk of ePHI exposure to an appropriate level, as was required by the HIPAA Security Rule.
The settlement amount could have been higher. The OCR took into consideration the essential role that CHCS plays in the Philadelphia region, helping individuals suffering from HIV/AIDS, and providing a range of services for the developmentally disabled and the elderly.
In addition to the financial penalty, CHCS has agreed to adhere to a Robust corrective action plan (CAP). Under the CAP, CHCS must update its policies and procedures to ensure that ePHI is appropriately protected. CHCS must not provide ePHI or access to ePHI to any member of staff that has not signed the necessary written or electronic certification. CHCS must also perform a comprehensive, organization-wide risk analysis and put a plan in place to address any vulnerabilities that are discovered. The OCR will monitor CHCS closely for two years to ensure continued compliance with HIPAA Rules.
The settlement highlights the importance of conducting a risk analysis and complying with all aspects of the HIPAA Security Rule, whether a covered entity or a business associate of a covered entity.