Jul 72016

OCR Announces First HIPAA Settlement With a Business Associate

Meenakshi Datta, Anna Spencer and Rina Mady
, , , ,

On June 24, 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a resolution agreement with the Department of Health and Human Services Office for Civil Rights (“OCR”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule after the theft of a CHCS mobile device compromised the protected health information (“PHI”) of 412 nursing home residents.  This is OCR’s first settlement with a HIPAA business associate.  As part of the settlement, CHCS agreed to enter into a two-year corrective action plan (“CAP”) and pay a monetary penalty of $650,000.

CHCS provides management and information technology services as a business associate to six skilled nursing facilities that it formerly owned.  OCR initiated its investigation of CHCS on April 17, 2014, after receiving separate notification from each of the six skilled nursing facilities in February 2014 that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee smart phone.  According to OCR, the smart phone was unencrypted and was not password protected.  The information on the smart phone included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.

OCR’s investigation revealed that, from September 23, 2013, the compliance date of the Security Rule for business associates, until the present, CHCS failed to (1) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by CHCS in accordance with 45 C.F.R. § 164.308(a)(1)(ii); and        (2) implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule.  Specifically, at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing electronic PHI from its facility and no risk analysis or risk management plan to address what to do in the event of a security incident.

This is the first HIPAA noncompliance settlement that OCR has entered into with a business associate since the enactment of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) first made business associates directly liable under HIPAA in 2009.  Now that OCR has commenced enforcement against business associates and given that the second round of HIPAA compliance audits includes such entities, companies that are regulated as business associates should renew their efforts to ensure compliance with HIPAA.  As OCR noted in its press release, a risk assessment and risk management plan are cornerstones of compliance with the HIPAA Security Rule.  Multiple settlements have been reached with covered entities for failure to perform a risk assessment.  As a result, it would be reasonable to expect that OCR’s action against CHCS will be the first of many settlements with business associates related to this issue.

Meenakshi Datta

Chicago

mdatta@sidley.com

Anna Spencer

aspencer@sidley.com

Rina Mady

Chicago

rmady@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.