If your organization is a business associate of a HIPAA covered entity (such as a health care provider or employee health benefit plan), you should know that the Department of Health and Human Services' Office of Civil Rights (OCR) is actively pursuing business associates over privacy and information security violations.
Business Associate Fined >$15,000 Per Patient
This week, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle with OCR after alleged violations of the HIPAA Security Rule that came to light after the loss of an iPhone containing protected health information (PHI) of 412 nursing home residents. The settlement requires a monetary payment of $650,000 and a corrective action plan. (For those who have not already done the math, the fine alone will cost CHCS more than $15,000 per patient!)
In announcing the settlement, OCR's Director Jocelyn Samuels emphasized the importance of a comprehensive program: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” In the case of CHCS, the iPhone was unencrypted and was not password protected. To make matters much worse, OCR learned that CHCS had no policies addressing the loss of mobile devices containing PHI, no security incident response plan, no risk analysis, and no risk management plan.
As part of the settlement, OCR will monitor CHCS for two years to ensure compliance. You can read the Resolution Agreement and Corrective Action Plan on the OCR website here.
Business Associate Audits
This announcement comes just months after the launch of the second phase of OCR's much-anticipated audit program for business associates. Rather than awaiting reports of violations, the OCR is actively auditing business associates. When announcing the audit program, OCR explained the process:
- First, OCR will contact organizations by email to verify contact information and complete a pre-audit questionnaire.
- Organizations selected will be subject to either a desk audit, an onsite audit, or both.
- Organizations will have a about 10 business days to produce requested documents, so there will be insufficient time to create or update HIPAA privacy and security policies, security risk assessments, breach notification documentation, business associate agreements, and other HIPAA documentation after notification.
- Business associates should not wait until an audit is initiated. Now is the time to ensure that HIPAA programs are in place, complete, and up to date.
If this week's CHCS settlement is any indicator, the OCR will be seeking large fines when it uncovers violations.
This post is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this post without obtaining the advice of an attorney. If you have questions concerning this post, please contact Matt Cordell at firstname.lastname@example.org.