First Business Associate HIPAA Penalty Announced
First Business Associate HIPAA Penalty Announced

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first resolution agreement with a business associate on June 29th, 2016. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the 2014 theft of an unprotected mobile device put the protected health information (PHI) of 412 nursing home residents at risk.

CHCS, who was responsible for the management and IT services provided to six skilled nursing facilities, agreed to pay a resolution amount of $650,000 and submit to a corrective action plan, which includes two years of direct monitoring by the OCR. The resolution underlines the new focus the OCR is placing on business associates. This was hinted at earlier this year with a new brief on how to manage security incidents involving business associates by ensuring safeguards are adequate, prompt notification, and responding effectively to a data breach. The OCR’s phase two compliance audits will also include evaluations of business associates this year.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels.  “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

At the time of the incident, the OCR determined that the CHCS had no policies addressing the use of mobile devices or the use of PHI on mobile devices. The OCR also determined that CHCS had no risk analysis or risk management plans in place. This settlement also re-enforces that the size of a data breach does not necessarily correlate with the resolution amount.

According to current HIPAA standards, lost or stolen mobile devices which are password protected and encrypted to HIPAA standards are exempt from notification requirements. The corrective action required of CHCS also includes effective security incident response, mobile device controls, and audit and integrity controls, among other requirements.

Absolute DDS for Healthcare provides visibility for your fleet of devices, as well as the data they contain, with alerts for events and activities that could be precursors to a security incident. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. With full reporting capabilities, you can prove that your data remained protected, even when it was physically outside your control. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com

ABOUT THE AUTHOR

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada’s first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.