Catholic Health Care Services of the Archdiocese of Philadelphia will pay $650,000 to settle HIPAA violations connected to the theft of a CHCS-issued employee iPhone in a business associate-related incident. CHCS also agreed to a corrective action plan.
CHCS provided management and information technology services as a business associate to six skilled nursing facilities. According to the Office for Civil Rights, which oversees and enforces HIPAA, the theft compromised the protected health information of 412 nursing home residents. Moreover, OCR found that CHCS lacked the required risk analysis and accompanying risk management plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” OCR Director Jocelyn Samuels said in a statement. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
[Also: OCR cautions hospitals to prepare for breaches at business associates]
OCR initiated its investigation on April 17, 2014, after it was notified of the stolen phone, which was unencrypted and was not password protected. The information on the iPhone was extensive, OCR found, and it included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians and medication information.
At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident, according to OCR officials.
In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care and individuals living with HIV/AIDS, Samuels noted.
OCR will monitor CHCS for two years as part of the settlement agreement.
