First HIPAA Settlement Reached with Business Associate – Heed the warning

In July, 2016, the Office of Civil Rights (OCR) reached a $650,000 agreement with a business associate (Catholic Health Care Services of the Archiocese of Philadelphia (“CHCS”)), to settle alleged violations of the HIPAA Act Security Rule after the theft of a CHCS mobile device containing protected health information. CHCS provided IT and business management services to six nursing homes and it was estimated that 412 individuals’ information was at risk.

The settlement arose out of a theft of an CHCS employee’s IPhone which was not password protected nor encrypted. At the time, CHCS had no mobile device policies in effect, nor any policies about removal of sensitive protected information from the workplace.  The OCR noted that CHCS was given a reprieve in the amount of the penalty considering that CHCS was engaged in the business of providing “much-needed services” to the community.  CHCS was also required to implement a Corrective Action Plan (“CAP”) which consisted in part of: 

1) Conducting a HIPAA security risk assessment; 

2) Developing and implementing security policies and procedures;

3) Create a method of investigating alleged policy violations; 

4) Ensure that all employees have received and are properly trained on security policies and procedures. 

This penalty should serve as a reminder to all companies who maintain protected health information to ensure that your policies and procedures are up to date and that ALL employees are trained on them.