OCR’s First Settlement with a Business Associate for HIPAA Violations

July 15, 2016

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.