Business Associates who fail to conduct health information risk assessments and adopt required security policies and procedures face a growing threat of discovery and fines. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) got more than a prayerful penance after violating HIPAA rules. The $650,000 fine imposed by HHS arose from the reported theft of a CHCS issued, unencrypted iPhone that was not even password protected. What?
“Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected health information (PHI) of hundreds of nursing home residents. CHCS provided management and information technology services as a business associate to six skilled nursing facilities. The total number of individuals affected by the combined breaches was 412. The settlement includes a monetary payment of $650,000 and a corrective action plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.
At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.” [Emphasis added, HHS Enforcement Announcement]
In their settlement with HHS, Catholic Health Care Services agreed to adopt and implement at a minimum the following security policies regarding:
- encryption of ePHI,
- password management,
- security incident response,
- mobile device controls,
- information system review,
- security reminders,
- log-in monitoring,
- a data backup plan,
- a disaster recovery plan,
- an emergency mode operation plan,
- testing and revising of contingency plans,
- applications and data criticality analysis,
- automatic log off,
- audit controls, and
- integrity controls. [CHCS Resolution Agreement]
Business associates should have implemented security policies and procedures years ago. Waiting or ignoring these requirements will get more expensive as HHS increases enforcement efforts. If you have sensitive data, assess the risk and protect the data. There’s no excuse for the failure to implement even rudimentary protection of customer data with so many hackers hunting the information.
Only the excessively rich and terminally clueless ignore data security laws.