With its levy of a $650,000 fine on a service provider of the Archdiocese of Philadelphia, the Department of Health and Human Services’ Office for Civil Rights (OCR) has entered into what appears to be its first-ever settlement with a business associate for allegedly violating the HIPAA Security Rule.
The OCR action stemmed from the 2013 theft of an iPhone from Catholic Health Care Services (CHCS), which led to the loss of protected health information (PHI) of 412 people, according to the OCR settlement and corrective action plan.
The agency provides information and technology services to nursing homes operated by the Archdiocese.
The HITECH Act of 2009 made business associates of healthcare organizations covered entities under HIPAA and subject to HIPAA’s health data privacy and security requirements just as healthcare organizations are.
Starting in 2016, OCR has begun auditing business asssociates for the first time in a formal round of audits of healthcare organizations and business associates such as companies and nonprofits that handle PHI, including billing firms and cloud providers.
After an investigation starting in 2014, OCR determined that, among other violations, CHCS failed to perform a security risk analysis and failed to put in place a security risk management plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” OCR Director Jocelyn Samuels said in a release. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
Meanwhile, another PHI breach by a business associate that exposed health data of 4,300 dental patients was disclosed recently by Massachusetts General Hospital, the Boston Globe reported.
In February, Mass. General learned that an unauthorized party had gained access to electronic files stored by Patterson Dental Supply Inc., which supplies software to help manage dental practices for healthcare providers including Mass. General.
On June 29, the hospital began notifying affected patients that their PHI – including dates of birth, social security number, and possibly date and time of their dental appointments – had been exposed.