For the first time, the Office for Civil Rights (OCR) has settled potential HIPAA violations with a business associate, and that settlement sheds light on how the government is assessing compliance.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to a monetary payment of $650,000 and a corrective action plan to settle potential HIPAA violations after the theft of a CHCS mobile device compromised the protected health information (PHI) of 412 nursing home residents. CHCS provided management and information technology services as a business associate to six skilled nursing facilities.
Although direct enforcement against business associates was authorized in the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, and detailed in The Omnibus Final Rule in 2013, this settlement is the first action under these amended laws, says Nathan A. Kottkamp, JD, a partner with the law firm of McGuireWoods in Richmond, VA.
The CHCS settlement indicates that relationships, in general, and business associate operations, specifically, are a growing focus of action by the OCR, Kottkamp says. In earlier action this year, two covered entities entered into settlements with OCR for failure to have business associate agreements in place. OCR also began Phase 2 audits, including business associates, in March 2016. (For more information, see “Round 2 of Audits for HIPAA Are Focusing on Business Associates,” Healthcare Risk Management, June 2016, which can be accessed at http://bit.ly/1Wm2g3K.)
The settlement amount is fairly low, which suggests that OCR is focused more on helping organizations comply than on punishing them, Kottkamp says.
“This settlement tells us that the enforcement world has changed dramatically now,” Kottkamp says. “It used to be that you could say they’re not going to go after business associates because there are other cases to pursue with covered entities, but no one is safe anymore. We’ve seen ramped up enforcement on covered entities, and now I think this signals a dramatic change in the risk for business associates.”
CHCS is the first business associate to enter into a settlement, but it won’t be the last. Kottkamp says it is almost certain that there will be more enforcement actions against business associates in the future.
OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee smartphone. The smartphone was unencrypted and was not password-protected. The information on the phone was extensive and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.
The CHCS case underscores the risk of allowing PHI on employee smartphones, Kottkamp says. The phone in question had no security features for locking it, which allowed anyone to access the patient records. OCR’s announcement stated that the egregiousness of the breach was mitigated by the fact that CHCS provides charity services to a large population of underserved patients.
“If that had been a hospital, I think we would have seen a much stiffer penalty,” Kottkamp says. “This is a confirmation of what OCR has said publicly, that, at least for the moment, it is very much focused on compliance and not punishment. They’re not looking to shut down somebody’s business, but they want a settlement amount that gets your attention and hurts a little bit.”
Tips from Corrective Plan
At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also determined that CHCS had no risk analysis or risk management plan.
OCR will monitor CHCS for two years as part of this settlement agreement, which helps ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a business associate. Kottkamp notes that, as is often the case, the specific terms of the corrective action plan illustrate OCR’s priorities. In the CHCS corrective action plan, OCR emphasizes policies, procedures, and workforce education. (Readers can access the corrective action plan by going online to http://bit.ly/29McWXU.)
The CHCS case and corrective action plan can be used by covered entities to help educate their business associates about the importance of HIPAA compliance, Kottkamp says. Although the hospital is not obligated under HIPAA to ensure business associates’ compliance, it is in the covered entity’s best interests to have them comply, he says. When a business associate causes a breach, it is most likely the hospital’s name that will be in the headlines.
“The corrective action plan reads like OCR saying what they really care about and how to satisfy them,” Kottkamp says. “You can almost go through the plan and use it as a checklist to assess your own compliance.”