Poyner Spruill Welcomes Education Law Practice Group

close
Search Created with Sketch.
Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up
Article

First Ever OCR Settlement of Enforcement Action against HIPAA Business Associate Due to PHI Breach

$650,000 Monetary Resolution Payment

On June 30, the Office of Civil Rights (OCR) announced the first HIPAA settlement agreement with a business associate. This follows recent settlements with two HIPAA covered entities under HIPAA due, in large part, to the absence of a Business Associate Agreement (BAA) with third-party vendors handling patient Protected Health Information.

In this first business associate settlement, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle what OCR determined were potential violations of the HIPAA Security Rule. As with prior settlements with covered entities, this settlement mandates both a 2-year corrective action plan and a monetary payment (assessed at $650,000 in this case).

In its role as a business associate, CHCS provided both management and information technology services for six skilled nursing facilities. The breach of the Security Rule occurred when an unencrypted smartphone was stolen from a CHCS employee. The stolen phone contained a wide variety of PHI for 412 nursing home residents including: social security numbers, diagnosis and treatment information, names of family members and guardians, and medication information. As part of its investigation, OCR determined that CHCS failed to take steps to assess the risks posed by its handling of PHI and had inadequate security protocols in place to minimize the risk of PHI disclosure.

Through this settlement, OCR sent a strong message that HIPAA enforcement is not limited to directly covered entities, but will also be imposed on all business associates that work with those entities. The OCR director stated that business associates must conduct “enterprise-wide risk analysis” and maintain a “corresponding risk management plan” in order to comply with the HIPAA Security Rule. It is worth noting that, though this breach actually occurred during the time when CHCS owned the nursing homes, OCR chose to describe this as a settlement with a business associate perhaps to underscore the importance of business associate compliance.

Under BAA contractual obligations, business associates are specifically required to comply with the provisions of the HIPAA Security Rule and the corollary Breach Notification Rules. Thus, business associates of all types should take advance steps to ensure compliance so they will be prepared in the event of an OCR audit or investigation.

◀︎ Back to Thought Leadership
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful. Please see our Privacy Policy for more details.

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

Analytics

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Show details Hide details
Powered by  GDPR Cookie Compliance