Make sure your practice’s business associates stay on the right side of the law.
Your practice’s Business Associates (BAs)—which can include optical labs, billing companies, and IT firms—are just as liable under the HIPAA privacy law as your practice is, and one Philadelphia business found that out the hard way recently. Ensure that your BAs stay compliant with the patient privacy laws with this cautionary tale.
On June 30, the Office of Civil Rights (ORC), which enforces patient privacy rules, announced a $650,000 settlement with a BA for a data breach of Protected Health Information (PHI). Catholic Health Care Services of the Archdioceses of Philadelphia (CHCS) agreed to the hefty penalty to settle potential HIPAA violations including a breach.
“This settlement agreement sets an important milestone as OCR’s first resolution agreement with a BA,” notes attorney Rick Hindmand of Chicago-based McDonald Hopkins LLC. OCR is expanding its recent enforcement focus on BAs, following three resolution agreements with covered entities (CEs) within the last eight months for failure to enter into BA agreements (BAAs) with their BAs.
Mobile Device Theft Causes HIPAA Breach
Background: At the time of the incident, CHCS provided management and IT services as a BA to six medical facilities. On April 17, 2014, OCR launched an investigation after receiving notification that CHCS had a breach involving the theft of a CHCS-issued employee iPhone.
The iPhone contained hundreds of patients’ PHI, including Social Security numbers, diagnoses and treatment information, medical procedures, names of family members and legal guardians, and other medical information. The iPhone was not encrypted nor password protected.
OCR’s investigation revealed that, at the time of the breach incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility, nor what to do in the event of a security incident. CHCS also had no risk analysis and risk management plan, OCR claims.
‘Much-Needed Services’ Won’t Exempt You from Big Penalties
In addition to the $650,000 monetary payment under the resolution agreement, OCR also imposed a Corrective Action Plan (CAP) and two years of monitoring the BA to help ensure that CHCS remains HIPAA compliant while acting as a BA. Interestingly, as key factors in determining the resolution amount, OCR stated:
“OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.”
Beware: The two-year CAP and the $650,000 settlement is significant, given that CHCS is a non-profit with religious affiliation, provided “much-needed services,” and had only 412 records involved in the breach, notes Colin Zick, an attorney with Foley Hoag LLP. This sends a clear message that OCR is going to treat BAs involved in breaches the same as CEs when it comes to resolving breach incidents.
OCR’s press release stated that CHCS provides “unique and much-needed services” and this was a factor in determining the resolution, hinting that this presumably lowered the payment amount, Hindmand notes. So for CHCS to still get such a large penalty for a relatively small-scale breach, it’s clear that “doing important charitable work does not excuse HIPAA noncompliance.”
Watch for More BA Enforcement Actions
The fact that the underlying breach related to this resolution agreement dates back to more than two years ago “suggests a significant backlog at OCR in resolving open matters,” Zick points out.
But perhaps this was a more calculated move — after all, OCR began its investigation only seven months after the HIPAA Omnibus Rule compliance date, Hindmand observes. And keep in mind that other investigations of BAs may be in the pipeline in light of the typical investigation/settlement timeframe of two-plus years, as well as the September 2013 extension of the HIPAA Privacy and Security Rules to BAs.
BAs will also be subject to scrutiny in the Phase 2 HIPAA audits.
Lesson learned: “Expect additional scrutiny and enforcement actions against BAs,” Hindmand warns. “The diligence and sophistication of BAs vary widely with respect to HIPAA and related data privacy and security safeguards, so BA noncompliance may be viewed as a tempting enforcement target (low-hanging fruit).”
“This case provides another reminder that enterprise-wide risk analysis and risk management are not optional,” Hindmand adds. Additionally, “even breaches that affect fewer than 500 individuals (and therefore fall below the threshold for routine OCR investigations) can create extensive exposure.”
Link: To read the resolution agreement and CAP, go to www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.