Case points to Business Associate Agreements as critical
When it comes to HIPAA enforcement, you can’t hide behind a cloak. That is the message of the federal government’s settlement with the Archdiocese of Philadelphia.
The Diocese will pay $650,000 to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), relating to the theft of a mobile device containing protected health information for 412 nursing home residents.
In this and other recent actions, the feds are underscoring an emphasis on holding Business Associates accountable for safeguarding patient information.
In the Philadelphia case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. Here is what happened, according to an announcement by the U. S. Office for Civil Rights (OCR):
In April 2014, ORC initiated an investigation following the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.
Investigators found that CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.
The feds signaled they went light on the settlement amount, saying they considered that CHCS provides much-needed services in the Philadelphia area.
The Resolution Agreement and Corrective Action Plan can be found on the OCR website at:http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.