Resolution Agreement: Catholic Health Care Services of the Archdiocese of Philadelphia (June 24, 2016)
HHS’s Office for Civil Rights (OCR) has announced a resolution agreement with a HIPAA business associate after the theft of a smartphone compromised the protected health information (PHI) of hundreds of individuals. OCR began its investigation after receiving notification that theft of the smartphone—issued by the business associate to one of its employees—had resulted in a breach of PHI. According to OCR, the phone was unencrypted and was not password-protected. The PHI on the phone was extensive, including Social Security numbers, diagnosis and treatment information, medical procedures, names of family members and legal guardians, and medication information. OCR determined that, at the time of the theft, the business associate had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident, nor did it have a risk analysis or risk management plan.
The resolution agreement requires a $650,000 payment and compliance with a two-year corrective action plan (CAP). Under the CAP, the business associate must (1) conduct an accurate and thorough risk analysis and document security measures taken to reduce identified risks and vulnerabilities; (2) develop policies and procedures addressing specified aspects of the security rule, including encryption and mobile device controls, for review and approval by HHS; (3) distribute the policies and procedures to existing workforce members within 30 days after HHS approval and to new workforce members within 14 days after they begin service; (4) assess the policies and procedures at least annually, update them as necessary, and provide the updated items to HHS for approval; (5) prepare security training materials for HHS approval and provide training to existing workforce members within 60 days after HHS approval, to new workforce members within 30 days after they start service, and to all workforce members at least annually; (6) investigate any noncompliance by workforce members; and (7) submit detailed annual and event-based reports to HHS.
EBIA Comment: Business associates are directly subject to HIPAA’s security rule requirements, including the need to adopt administrative, physical, and technical safeguards and related policies and procedures (see our Checkpoint article). Given the breadth of problematic practices described by OCR in this resolution agreement, it’s unclear whether this business associate was aware of its HIPAA obligations. Publication of this resolution agreement (OCR’s first with a business associate), combined with OCR’s audit program webpage (which clearly states that business associates may be audited during phase 2 of OCR’s HIPAA compliance audits), should put all business associates on notice. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXX (“Core Security Requirements”). You may also be interested in our recorded webinar “HIPAA Basic Training: Get Your Privacy and Security Compliance on Track for 2016”(recorded on 1/27/2016).
Contributing Editors: EBIA Staff.