Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a HIPAA business associate, has agreed to pay the Department of Health and Human Services Office of Civil Rights (“OCR”) $650,000 in connection with a data breach involving the nursing homes to which it provides management and IT services.
The underlying breach occurred in February 2014 (which suggests a significant backlog at OCR in resolving open matters). The breach itself was relatively insignificant compared to those we often see today involving millions of records: this was the theft of an unsecured iPhone with health information of 412 nursing home patients.
The resolution agreement’s formal description of the problematic behavior was: “From September 23, 2013, the compliance date of the Security Rule for business associates, until the present, CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.” The specifics, according to OCR’s statement about the settlement, are as follows:
- OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone.
- The iPhone was unencrypted and was not password protected.
- The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.
- At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident.
- OCR also determined that CHCS had no risk analysis or risk management plan.
- In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
Given that CHCH is 1) a non-profit; 2) with a religious affiliation; 3) providing “much-needed services”; and 4) “only” 412 records were involved, the $650,000 settlement and two-year corrective plan is significant and sends a clear message: business associates that are involved in breaches are going to be treated just as if they are covered entities by OCR when it comes to resolution of breaches.