July 2016

Three Years in the Making: OCR Takes Its First HIPAA Enforcement Action Against a Business Associate

2 min

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) has taken its first enforcement action against a business associate. On June 30, 2016, OCR announced that it entered into a resolution agreement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) to settle potential HIPAA violations stemming from the theft of an employee’s company-issued cell phone that contained the particularly sensitive protected health information (PHI) of 412 nursing home residents. CHCS is a nonprofit organization that, at the time of the theft, provided management and information technology services to six nursing homes in the Philadelphia region, in addition to its other services for the benefit of the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS. As part of the settlement, CHCS is required to pay a resolution amount of $650,000. This announcement comes nearly three years after OCR was vested with direct enforcement authority over business associates.

OCR's investigation of the breach revealed that CHCS had failed to conduct a security risk analysis and implement a risk management plan, which form the foundation of any covered entity’s or business associate's HIPAA security program. Moreover, OCR found that CHCS did not have any policies addressing the removal of mobile devices containing PHI from its facilities or what to do in the event of a security incident. CHCS is required to remedy these deficiencies during the course of its two-year corrective action plan, along with other improvements to its policies, procedures, and workforce training.

This settlement comes in the midst of an overall increase in enforcement activity by OCR. In the first six months of 2016, OCR has taken more enforcement actions under HIPAA than it took in all of 2015. OCR also launched Phase 2 of its audit program in March 2016, which includes both covered entities and business associates. This increased enforcement activity serves as a reminder to both covered entities and business associates of their obligations under the Privacy Rule and Security Rule, particularly as they relate to core elements of a HIPAA compliance program, such as conducting an enterprise-wide security risk analysis, developing a risk management plan, establishing privacy and security policies and procedures, conducting workforce training, and implementing an efficient incident response process.

OCR's press release and resolution agreement with CHCS are available here.