The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

According to the Resolution Agreement and Corrective Action Plan, CHCS provides management services and is the sole corporate parent of six nursing homes.  After the nursing homes reported the breach of unsecured PHI following the theft of the iPhone, OCR initiated an investigation into CHCS’s compliance with HIPAA.  OCR concluded that CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident.  OCR also found that CHCS had not conducted a risk analysis, as required by the HIPAA Security Rule, and had no risk management plan.

In announcing the substantial financial penalty, OCR noted that it took into account the important services that CHCS provides to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS in the Philadelphia region.

This settlement should put business associates on notice of the potential for significant liability for failure to implement required HIPAA policies and procedures. Furthermore, business associates should take steps to ensure that all PHI on laptops and mobile devices is rendered unreadable and unusable to unauthorized users, such as through encryption.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.