The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

According to the Resolution Agreement and Corrective Action Plan, CHCS provides management services and is the sole corporate parent of six nursing homes.  After the nursing homes reported the breach of unsecured PHI following the theft of the iPhone, OCR initiated an investigation into CHCS’s compliance with HIPAA.  OCR concluded that CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident.  OCR also found that CHCS had not conducted a risk analysis, as required by the HIPAA Security Rule, and had no risk management plan.

In announcing the substantial financial penalty, OCR noted that it took into account the important services that CHCS provides to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS in the Philadelphia region.

This settlement should put business associates on notice of the potential for significant liability for failure to implement required HIPAA policies and procedures. Furthermore, business associates should take steps to ensure that all PHI on laptops and mobile devices is rendered unreadable and unusable to unauthorized users, such as through encryption.