HIPAA Violation Fines: Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 Settlement

Catholic Health Care Services of the HIPAA ViolationsArchdiocese of Philadelphia has come to an agreement in order to settle potential HIPAA violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This is a result of an employee’s iPhone being stolen which contained the Protected Health Information (PHI) of hundreds of nursing home residents. The theft resulted in a total of 412 combined breaches.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmJocelyn-Samuelsit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. OCR started its investigation being notified of a breach involving a stolen Catholic Health Care Services employee iPhone. The information contained on the iPhone was widespread including social security numbers, medical procedures, names of family and legal guardians, medical information, and information pertaining to diagnosis and treatments.  The information stored on the stolen iPhone was neither password protected or encrypted making the sensitive data visible to anyone with access to the phone. During the incident, Catholic Health Care Services neglected to implement policies for the removal of PHI on mobile devices in the event of a security incident. OCR also discovered there was no risk management plan or risk analysis in place.

As a result, Catholic Health Care Services will pay a $650,000 HIPAA Settlement and are required to:

  • Conduct a Risk Analysis and Risk Management Assessment
  • Develop, maintain, and revise their written policies and procedures to comply with the Federal standards that govern the security
    of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”)
  • Implement such policies and procedures within 30 days of receipt of HHS’ approval
  • Distribute the policies and procedures identified in section V.A. to all members of the workforce within 30 days of HHS approval

This is the sixth HIPAA violation fine in 2016 by HHS (Read the previous resolution agreements here)

What is the specific HIPAA violation?

Catholic Health Care Services violated the Health Insurance Portability and Accountability Act of 1996 Security Rule.  This violation occurred after an employee’s iPhone was stolen that contained ePHI which was unencrypted and not password protected. This caused a total of 412 individuals to be affected by the breach.

HIPAA Violations and Corrective Action Plan (CAP)

Catholic Health Care Services has been fined $650,000 for the violation along with  Corrective Action Obligations. These include a Risk Analysis and Risk Management Plan. Catholic Health Care Services are also required to revise, maintain and implement new policies and procedures in order to comply with federal standards.

What could have been done differently?

With theft being the leading cause for HIPAA breaches encryption and password protection is a must. Any device which comes into contact with ePHI should always be encrypted and password protected. If Catholic Health Care Services iPhone was encrypted and password protected the ePHI would have been inaccessible rendering it useless if stolen. Here at EHR 2.0, we offer  Security Risk Assessment and comprehensive HIPAA Compliance Assessment which thoroughly evaluates a healthcare practice and find weak points such as not having devices encrypted. We then develop an action plan to fix this immediately.

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.