Washington Healthcare News
wahcnews.com
Articles, Jobs and Consultants for the Healthcare Professional
Richard S. Cooper. Esq., Member, McDonald Hopkins LLC

Business Associate Hit with $650,000 HIPAA Settlement



By Richard S. Cooper, Esq.
Member
McDonald Hopkins LLC

See all this Month's Articles

Original Publish Date: July 12, 2016

On June 30, 2016, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its settlement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), for failure to perform risk analysis and risk management as required under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The settlement arose out of OCR’s investigation of the theft of an unencrypted CHCS iPhone that contained electronic protected health information (“ePHI”) of 412 nursing home patients and was not password protected. CHCS provided management and information technology services as a business associate of 6 nursing homes subsidiaries that were subsidiaries of CHCS and reported the breaches to OCR in February 2014 as required under the Breach Notification Rule. OCR’s commenced its investigation in April 2014, a mere 7 months after the HIPAA Omnibus Rule extended the HIPAA Privacy and Security Rules (and exposure to related penalties) to business associates.

OCR faulted CHCS for failure to (i) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI (risk analysis), and (ii) implement appropriate security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level (risk management). OCR also found that CHCS had no policies addressing the removal of mobile devices or how to respond to a security incident.

CHCS agreed to pay $650,000 and implement a corrective action plan. This payment amount is substantial for a breach that affected only 412 individuals, but apparently could have been even higher. The press release noted that the payment amount was determined after considering that CHCS provides unique and much-needed services to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.

The announcement shows that OCR is serious about taking strong enforcement action and imposing severe penalties against business associates for failure implement safeguards as required under the HIPAA Privacy, Security and Breach Notification Rules. This settlement continues OCR’s expansion of its enforcement focus on business associates, following a string of three recent OCR settlements holding covered entities responsible for failing to enter into business associate agreements with their business associates - Raleigh Orthopaedic Clinic, P.A. ($750,000), North Memorial Health Care ($1.55 million) and Triple-S Management Corporation ($3.5 million).

For additional information, please contact the attorney listed below.

Richard S. Cooper, Esq., is a Member of the McDonald Hopkins LLC law firm. He is also the Manager of its National Healthcare Practice Group and Co-chair of its Healthcare Restructuring Practice Group.

Mr. Cooper provides legal representation to a broad range of hospitals, other healthcare facilities and physician groups across the United States. He has been listed in The Best Lawyers in America for health law for twenty-two consecutive years and selected for inclusion in Ohio Super Lawyers (2005-2015).

Visit the McDonald Hopkins LLC web site at www.mcdonaldhopkins.com.