First Settlement is a Wake-Up Call for Business Associates Working With Health Care Providers

By Jessica A. Ellel

A wide range of businesses outside the healthcare industry perform services for health care providers and have access to Protected Health Information (PHI). If so, that business is considered a Business Associate and may have been, or will be, required to sign a Business Associate Agreement by the health care provider it does business with. Business Associates have a responsibility to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and specifically with HIPAA’s Security Rule. The Security rule requires Business Associates to implement administrative, physical, and technical safeguards. In addition, it imposes other organizational requirements and a need to document processes analogous to HIPAA’s Privacy Rule.

Oversight and enforcement of HIPAA compliance for Business Associates falls under the Department of Health and Human Services Office for Civil Rights (OCR). Even though OCR has had this authority since 2009, the summer of 2016 marks the first time a Business Associate has entered into a Resolution Agreement and paid a significant financial settlement following a HIPAA violation.

The settlement in question was levied on June 24, 2016 against Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) following an investigation that commenced on April 17, 2014. The investigation was launched in response to a notice that was provided to OCR following the September 2013 theft of an iPhone which had been issued to a CHCS employee. The stolen iPhone held a large amount of PHI from 412 patients residing at six nursing homes managed by CHCS. Despite holding this PHI, the stolen iPhone was not protected by encryption or even a password. In the course of its investigation, OCR determined that in addition to failing to encrypt or password protect the iPhone, CHCS had also failed to enact an appropriate HIPAA security compliance plan including the requirement to conduct a security risk assessment as required by the HIPAA Security Rule.

As a result of the settlement, CHCS will pay $650,000 and enter into a Corrective Action Plan. The Corrective Action Plan requires the organization to correct the deficiencies in its HIPAA Compliance Plan and will also subject it to monitoring by OCR for a period of two years. For more details about the Resolution Agreement and the Corrective Action Plan, see http://www.hhs.gov/sites/default/files/chcs-racap-final.pdf.

This settlement serves as a strong reminder that compliance with HIPAA is as important for Business Associates as it is for the health care providers that the Business Associates serve. It is essential for a Business Associate to takes its role seriously. This means implementing a HIPAA Compliance Plan that addresses the privacy and security of patient data received from the health care provider, training the workforce on the Compliance Plan, conducting a security risk assessment, and adapting policies and procedures as necessary to address deficiencies discovered by the security risk assessment.

Your Houston Harbaugh attorneys have developed tools and materials to assist Business Associates in developing a comprehensive HIPAA Compliance Plan and are available to assist you.