The HHS Office for Civil Rights has levied a $650,000 fine and a corrective action plan against Catholic Health Care Services, a business associate of the Archdiocese of Philadelphia.

Such enforcement actions, with more than 30 others already imposed across the industry, are done when a HIPAA-covered entity or business associate of a healthcare organization is found to have substantially ignored the HIPAA Security Rule. In this case, OCR in February 2014 received notifications of a breach from each of six nursing homes that Catholic Health Care Services operated.

HHS Headquarters in Washington, D.C.
Brian M. Kalish/Employee Benefit Adviser

The breaches resulted from theft of an iPhone that was not encrypted or password protected; the device held such sensitive information as Social Security numbers, diagnosis and treatment, medical procedures, names of family members and legal guardians, and medications, according to OCR.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain or transmit from covered entities,” OCR Director Jocelyn Samuels said in a statement. “This includes an enterprisewide risk analysis and corresponding risk management plan, which is the cornerstone of the HIPAA Security Rule.”

In a formal agreement on the matter, Catholic Health Care Services did not deny the allegations. Its resolution agreement that includes a two-year corrective action plan; it acknowledged its obligations to implement risk analysis and risk management plans, as well as a long list of policies and procedures that have not previously been adopted.

These include policies and procedures covering encryption of electronic protected health information, password management, security incident response, mobile device controls, information system reviews, security reminders, log-in monitoring, data backup plan, disaster recovery plan, contingency plans, data criticality analysis, automatic log off, audit controls and integrity controls.

During this period, any failures of compliance with the policies and procedures among workforce members of Catholic Health Care Services shall be considered events reportable to OCR, along with plans to mitigate the issue. The resolution agreement is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access