First HIPAA Settlement for Business Associate

Posted by Catherine Cownie on Friday, July 29, 2016

The US Department of Health and Human Services Office for Civil Rights (OCR) recently settled its first alleged HIPAA violation against a business associate.  Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is a non-profit organization that served as a business associate to six skilled nursing facilities.  CHCS provided management and information technology services to these facilities.  In 2014, an unencrypted (and not password protected) iPhone containing the protected health information of 412 individuals was stolen from a CHCS employee.  CHCS self-reported the incident and during its subsequent investigation OCR determined that CHCS did not have the necessary policies and procedures in place governing the removal of electronic devices containing PHI from CHCS’ offices.  In addition, CHCS did not have an adequate incident response plan or a risk analysis or risk management plan.  As a part of the settlement with OCR, CHCS agreed to pay $650,000 and entered into a corrective action plan, which includes two years of monitoring by OCR. 

Full article on HHS’ website