Business Associate Settles Potential HIPAA Violations for $650,000

The Office for Civil Rights (OCR) recently settled with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for $650,000 to resolve CHCS’ potential violations of the Health Insurance Portability and Accountability Act (HIPAA). OCR investigated CHCS after receiving notifications in February 2014 from six nursing homes that all identified CHCS as the source of a breach affecting their respective residents’ protected health information (PHI). CHCS was, at the time, the owner and HIPAA business associate of the nursing homes. The breach occurred when an CHCS employee lost an unencrypted CHCS-issued mobile phone that contained the PHI of 412 residents.

According to the Resolution Agreement between OCR and CHCS, the breach was not the focus of the settlement. Instead, the Agreement highlighted potential Security Rule violations that OCR discovered during its investigation into the breach. In addition to the monetary settlement, CHCS agreed to enter into a Corrective Action Plan that imposes two years of monitoring by OCR and requires CHCS to undertake a risk analysis and implement a risk mitigation plan. CHCS must also develop and tender for OCR’s approval Security Rule policies and procedures and related staff training materials.

TIP: This settlement serves as a reminder that OCR has—and is actively exercising—the jurisdiction to investigate and take formal enforcement action against business associates that fail to comply with the HIPAA rules.