On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.

CHCS acts as a business associate by providing management and information technology services to six nursing homes, which are HIPAA-covered entities. In February 2014, the nursing homes reported a breach of electronic protected health information (“ePHI”) involving a stolen iPhone of a CHCS employee. The iPhone contained large amounts of ePHI of nursing home patients, including Social Security numbers, diagnosis and treatment information, names of patients’ family members and legal guardians, and medication information. The iPhone was neither encrypted nor password-protected.

OCR’s investigation of CHCS found that CHCS, in violation of the HIPAA Security Rule, had failed to (1) conduct an accurate and thorough risk assessment involving ePHI, and (2) implement appropriate security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.

The resolution agreement requires CHCS to pay a $650,000 settlement to OCR and enter into a Corrective Action Plan that obligates CHCS to:

  • conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by CHCS, and document the security measures to reduce those risks and vulnerabilities to ePHI to a reasonable and appropriate level;
  • develop, maintain and implement written policies and procedures to comply with the requirements of the HIPAA Security Rule;
  • distribute the HIPAA policies and procedures to relevant members of its workforce within 14 days after starting their employment, and obtain certification from those workforce members that they agree to comply with the policies and procedures;
  • report any events of noncompliance with its HIPAA policies and procedures;
  • provide copies of its business associate agreements (“BAAs”) and management service agreements to OCR;
  • provide security training to its workforce; and
  • submit annual compliance reports to OCR for a period of two years.

In the press release accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that “[b]usiness associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities.” Director Samuels also referred to an entity’s risk analysis and risk management plan as “the cornerstones of the HIPAA Security Rule.”

Although this is the first OCR enforcement action against a business associate, the CHCS settlement follows two recent actions that involved the failures of covered entities to enter into BAAs with their service providers that used and disclosed PHI. In April 2016, Raleigh Orthopaedic settled with OCR for $750,000 for improperly disclosing PHI to a third-party service provider without entering into a BAA with that service provider, and in March 2016 North Memorial Health Care of Minnesota settled with OCR for $1.55 million in connection with a breach by its service provider, Accretive Health.

Because a sizable percentage of breaches involve business associates, we should expect more enforcement actions against business associates in the near future.