The Department of Health and Human Services Office for Civil Rights reached its first-ever enforcement action with a “business associate” of a HIPAA-covered entity.

Catholic Health Care Services of the Archdiocese of Philadelphia agreed to a $650,000 settlement for violations of the Health Insurance Portability and Accountability Act after a stolen mobile device compromised the protected health information of hundreds of nursing home residents. Compliance officers in the healthcare industry looking to minimize risk of future HIPAA violations will want to take a look at the resulting corrective action plan.   

As a covered “business associate,” Catholic Health Care Services of the Archdiocese of Philadelphia CHCS is required to comply with the HIPAA Privacy and Security Rules. Business associates may include, for example, healthcare billing companies, Medicare payers, hospital management companies, and cloud computing companies that store PHI. 

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” Jocelyn Samuels, director of HHS-OCR, said in a statement. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

In this particular case, CHCS provided management and information technology services as a business associate to six skilled nursing facilities. In total, 412 individuals were affected by the combined breaches. 

HHS-OCR initiated its investigation in February 2014 after receiving separate notifications from each of the six nursing homes regarding a breach of protected health information (PHI) involving the theft of a CHCS-issued employee iPhone, which was unencrypted and not password-protected.  According to the OCR, the information on the iPhone was extensive and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.  

At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.

In determining the resolution amount, OCR said it considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS. 

OCR said it will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a business associate. 

Corrective action obligations

Under its corrective action plan, CHCS agrees to the following measures:

Risk Analysis and risk management. CHCS shall, within 120 days of the effective date, and annually thereafter, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS and document the security measures CHCS implemented or is implementing to sufficiently reduce the identified risks and vulnerabilities to a reasonable and appropriate level.

Policies and procedures. CHCS shall develop, maintain, and revise, as necessary, its written policies and procedures to comply with the federal standards that govern the security of individually identifiable health information.

Distribution and updating of policies and procedures. CHCS shall distribute the policies and procedures to all members of its workforce within 30 days of HHS approval of such policies and to new members of its workforce within 14 days of their beginning of service. CHCS shall require, at the time of distribution of such policies and procedures, a signed written or electronic initial compliance certification from all members of the workforce, stating that the workforce members have read, understand, and shall abide by such policies and procedures.

CHCS shall assess, update, and revise, as necessary, the policies and procedures at least annually (and more frequently if appropriate), as long as it continues to function as a business associate. CHCS shall provide such revised policies and procedures to HHS for review and approval. Within 30 days of the effective date of any approved substantive revisions, CHCS shall distribute such revised policies and procedures to all members of its workforce and shall require new compliance certifications.

Minimum content of policies and procedures. At a minimum, CHCS’s policies and procedures shall cover:

Encryption of ePHI

Password management

Security incident response

Mobile device controls

Information system review

Security reminders

Log-in monitoring

Data backup plan

Disaster recovery plan

Emergency mode operation plan

Testing and revising of contingency plans

Applications and data criticality analysis

Automatic log off

Audit controls

Integrity controls

Reportable events. During the compliance term, CHCS shall, upon receiving information that a workforce member may have failed to comply with the policies and procedures, promptly investigate the matter. If CHCS determines, after review and investigation, that a member of its workforce has failed to comply with these policies and procedures, CHCS shall notify HHS in writing within 30 days.

Training. Within 60 days of the effective date, CHCS shall provide HHS with security training materials for all members of its workforce that have access to ePHI. Upon receiving notice from HHS specifying any required changes, CHCS shall make the required changes and provide revised PHI security training materials to HHS within 30 days.

Upon receiving approval from HHS, CHCS shall provide security training for each workforce member who has access to ePHI within (60) days of HHS approval and at least every 12 months thereafter. CHCS shall also provide such training to each new member of the workforce who has access to ePHI within 30 days of their beginning of service.

Each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received. All course materials shall be retained. CHCS shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

“This case highlights the importance of HIPAA preparation and planning,” Ericka Adler, a partner at law firm Roetzel & Andress, wrote in a client alert. “It is not enough to hope that a HIPAA violation never occurs and take a ‘we’ll cross that bridge when we come to it mentality.’ The failure to implement HIPAA-specific policies and procedures and prepare in advance of a security incident are enough to subject a practice to sanctions.”

“If you have yet to review your HIPAA compliance policies and procedures in the last year, now is a good time to start,” Adler wrote. “In the unfortunate event that a security incident occurs, having good compliance plans and educated personnel may make a significant difference in the OCR’s investigation and response.”