OCR Enters $650K Agreement with Healthcare Business Associate

The agreement also calls for the creation of PHI policies and a corrective action plan.

The Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with a healthcare business associate June 30.

The agreement stems from a violation of the Health Insurance Portability and Accountability Act that was reported to the OCR by multiple hospitals in 2014.

The agreement calls for the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) to create a corrective action plan and to pay a $650,000 fine, reports natlawreview.com.

CHCS, which provides management and information technology to six skilled nursing facilities, was found to have violated the HIPAA Security Rule after an OCR investigation into the theft of an employee’s iPhone. The phone contained the protected health information (PHI) of 412 patients, including names, social security numbers, medications and diagnosis and treatment information. The company-issued device was unencrypted and not password protected.

RELATED: Boston Hospital’s Vendor Announces Patient Data Breach

Additionally, the OCR’s investigation found that CHCS had no policies addressing the removal of mobile devices with PHI from its facilities or action plans in the event of a security breach. CHCS also had no risk analysis or risk management plan.

Under the agreement, the office will monitor the company for two years to ensure HIPAA compliance CHCS must also conduct an extensive risk assessment and create written policies and procedures for handling PHI. Those policies will be reviewed for approval by the OCR within 150 days.

Business associates have been included in HIPAA since 2010 but have not traditionally been targeted by the OCR.

RELATED: OCR Sends Message to Healthcare Industry with 2 HIPAA Settlements

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!

Get Our Newsletters
Campus Safety Online SummitCampus Safety HQ