Non-profit business associate faces penalties for HIPAA violation
A recent report of a data breach incident has left a bitter taste in the mouths of HIPAA bound business associates (defined below) across the nation. Such organizations were already rattled by the Office for Civil Rights’ (OCR) plan to hold a series of random audits throughout 2016, but the OCR’s decision to find blame and assess a fine against the business associate directly has elicited additional concern.
On June 30, 2016, the OCR announced the Catholic Health Care Services of the Archdiocese of Philadelphia’s (CHCS) agreement to pay $650,000 fine as a result of a HIPAA violation that led to the breach of hundreds of nursing home residents’ electronic Protected Health Information (ePHI). CHCS is a non-profit responsible for providing management and information technology services to six different nursing facilities in the Philadelphia region.The sections below review some history of HIPAA rules, outline the details of the breach, and provide clarification regarding the resolution terms discussed.
Background: The HIPAA Omnibus Rule
In 2013, the OCR enacted the HIPAA Omnibus Rule to revise previous HIPAA definitions, clarify processes and procedures, and include business associates and their contractors within the HIPAA regulations. The rule has been established for a few years, but the OCR’s lack of investigation efforts has allowed many businesses to operate without adhering to HIPAA protocols. The rule expanded the definition and accountability of business associates, subjecting such organizations to the same fines and penalties as a covered entity. A covered entity is any healthcare provider, healthcare clearinghouse, or health plan that electronically exchanges private health information. A business associate is any individual or organization that produces, stores, receives, or transmits PHI on behalf of a covered entity. In some states, the definition of a covered entity or business associate has been expanded (for example., CPAs and lawyers who have possession of PHI are business associates), and organizations should check with their legal counsel or a state trade association to learn more about regulations specific to their area. The CHCS data breach was announced after the OCR initiated its 2016 round of audits and may prompt a number of businesses to examine their HIPAA compliance and initiate revisions.
What happened: Why should your business care about HIPAA?
In February 2014, the OCR received notifications from six different nursing homes that claimed the CHCS had experienced a breach of unsecured ePHI data. After receiving the notifications, the OCR launched an investigation on April 17, 2014 to examine the business associate’s compliance with HIPAA regulations. The investigation found that at the time of the incident, the CHCS did not have a policy in place to specify the best practices for the transport and use of mobile devices containing ePHI outside of the organization or how to react in the event of a security breach.
In addition, the OCR revealed that the CHCS was lacking a sufficient risk analysis and management plan. The breach occurred after a CHCS employee’s iPhone was reported stolen. The device was unencrypted and did not have a password protection code in place. The ePHI on the iPhone was composed of patient social security numbers, information concerning diagnosis and treatment, medical procedures, the names of family members and legal guardians, and medication details.
The security compromise affected 412 nursing home residents, which led to the OCR’s conclusion that CHCS had violated the HIPAA Security Rule for business associates. Since the time business associates were considered to be covered under the same HIPAA regulations as covered entities, CHCS failed to integrate the proper security policies within their organization. The non-profit not only neglected to perform a thorough risk assessment, but did not implement the security measures necessary to meet HIPAA compliance standards during that time.
The result: A stronger stance on HIPAA violation incidents
The OCR’s findings resulted in the agreement that CHCS pay a $650,000 HIPAA settlement and implement a corrective action plan to resolve the identified security and policy issues. When determining the settlement amount, the OCR acknowledged CHCS’s position as a unique and much-needed service provider in the Philadelphia area. The business associate helps deliver assistance to the elderly, developmentally disabled, young adults exceeding the age requirements of foster care, and those living with HIV/AIDS.
The OCR specified that the organization will be monitored for two years as a part of the HIPAA settlement’s terms. Regular review of CHCS policies and practices are targeted to help the ensure the non-profit’s compliance with HIPAA standards while serving as a business associate. The corrective action plan will require CHCS to fulfill a number of tasks that will encompass a large portion of the organization’s time and resources. The non-profit will be required to regularly submit updates and documentation to the U.S. Department of Health and Human Services to demonstrate its effort to achieve HIPAA compliance.
Covered entities and their business associates must regularly evaluate and adjust their HIPAA compliance efforts to protect the ePHI for which they’re responsible. Aldridge can help your organization design and implement an IT strategy that can help you reach your HIPAA compliance goals. Contact a firm representative today to find out more about how Aldridge can help safeguard your business against the stress, fines, and penalties that can accompany a security breach.