On June 30, 2016, the Health and Human Services Office for Civil Rights (OCR) announced the first-ever settlement of Health Insurance Portability and Accountability Act (HIPAA) claims against a business associate. According to the settlement agreement, an OCR investigation found that Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a nonprofit corporation that previously owned six nursing homes and continues to provide management services to the facilities, failed to conduct an accurate and thorough risk assessment or implement appropriate security measures to address risks and vulnerabilities as required by the HIPAA Security Rule. OCR also found that CHCS did not have appropriate Security Rule policies in place and no risk analysis or risk management plan.
OCR conducted the investigation after receiving notification that a CHCS-issued smart phone had been stolen from an employee. The smart phone contained protected health information (PHI) of more than 400 individuals but was not encrypted or password-protected. CHCS agreed to pay $650,000 and follow a two-year corrective action plan as part of the settlement.
Although direct enforcement against business associates was authorized in the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and detailed in The Omnibus Final Rule in 2013, this settlement is the first action under these amended laws. Significantly, the CHCS settlement is the latest indication that business associate operations and relationships in general are a growing focus of OCR action. Earlier this year, two covered entities entered into settlements with OCR for failure to have business associate agreements in place, and in March 2016 OCR began its Phase 2 audits, which will include business associates. Although CHCS is the first business associate to enter into a settlement, it is almost certain that there will be more enforcement actions against business associates in the future.
To the degree that there is good news about the CHCS settlement, it is that the relatively low settlement amount imposed on CHCS confirms that OCR’s (current) goal is not to be punitive, but to achieve compliance with the HIPAA requirements. Indeed, in its public statement about the settlement, OCR stated that in determining the settlement amount, it considered CHCS’s provision of services to the elderly, developmentally disabled individuals, young adults aging out of foster care, and HIV/AIDS patients. There is no guarantee, however, that OCR will not administer harsher penalties in the future if business associates fail to comply with the Security Rule and other applicable HIPAA rules.
Both covered entities and business associates should ensure compliance with the HIPAA Security Rule by conducting thorough risk assessments and addressing risks and vulnerabilities that are identified. Comprehensive security policies should be implemented, including risk management, procedures in the event of a security incident, and policies regarding mobile devices. With respect to mobile devices like the stolen CHCS smart phone, the best practice is to avoid saving PHI on mobile devices, but at a minimum the device’s password function should be enabled and the device should be encrypted.
As always, the specific terms of the correction action plan — which places an emphasis on policies, procedures and work force education — offers a glimpse into OCR’s priorities. Thus, covered entities and business associates should consider CHCS’s corrective action plan as a compliance checklist of sorts.