OCR Announces First HIPAA Enforcement Action against a Business Associate
This action demonstrates that business associates need to make sure that they have taken appropriate measures to comply with Health Insurance Portability and Accountability Act (HIPAA). What brought on this decision? The following case discusses issues that were brought to the OCR’s attention because of a breach.
Ensuring that your organization is prepared in the event of a breech is becoming ever more important. Earlier this year Withum released a Cybersecurity Preparedness Checklist for organizations to use as a guide and to self-assess their level of preparedness. While this checklist is not an absolute, it helps to elevate where an organization may have perceived weaknesses and / or where risks live. The case details that follow emphasize some of the questions in the checklist in more detail.
The National Institute of Standards and Technology (NIST) released a comprehensive NIST Cybersecurity Framework in 2014 that allows organizations, regardless of size, degree of cyber risk or cybersecurity sophistication, to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Completing a NIST Control Framework Assessment as the investment far outweighs the $650,000 penalty and related hidden costs that publicly come with the case below.
Case Details
The OCR announced an agreement with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), settling allegations that CHCS violated the HIPAA Security Rule by failing to protect electronic protected health information (ePHI). This is the first enforcement action that OCR has taken against a “business associate” of a HIPAA-covered entity.
CHCS is a nonprofit organization that provides management and information technology services as a business associate of six nursing homes. These nursing homes reported a data breach to OCR in 2014 after a CHCS employee’s iPhone was stolen. The mobile device was neither encrypted nor protected by a password. It contained Social Security numbers, names of family members and legal guardians, and information regarding diagnoses, medical procedures, medication, and other treatments for 412 patients.
OCR conducted an investigation and concluded that CHCS failed to conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of e-PHI and failed to implement appropriate security measures to reduce such risks under HIPAA.
As a result of the Resolution Agreement and Corrective Action Plan, CHCS must pay $650,000 in penalties and adhere to a corrective action plan that requires it to:
- Conduct annual risk assessments and document the measures it takes to reduce those risks;
- Develop, maintain, and annually review and revise its written policies and procedures to comply with the HIPAA Security Rule; and submit those policies and procedures (and revisions) to HHS for approval;
- Distribute its policies and procedures to all members of its workforce (and to new members within their first 14 days of work) and require new workforce members to sign a certification form stating they have read, understand, and shall abide by such policies and procedures;
- Report any event of noncompliance with its HIPAA policies and procedures to HHS;
- Provide annual training for all workforce members with access to ePHI; and submit annual compliance reports to OCR.
OCR’s action demonstrates that business associates need to make sure that they have taken appropriate measures to comply with HIPAA. In this case, issues came to OCR’s attention because of a breach. OCR is expected to conduct its first audits of business associates under its new HIPAA audit program this fall, with the possibility that some audits could turn into OCR investigations, even when there has been no breach.
Is your organization prepared against a cyber breach or an attack? Ensuring your security is vital to ensuring the safety of your patients, data, and maintains compliance with HIPAA. Review the Cybersecurity Preparedness Checklist. If you leave some questions unchecked or have reservations, it’s time to discuss. Don’t become the victim.
How Can We Help?
