The Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with a healthcare business associate June 30.
The agreement stems from a violation of the Health Insurance Portability and Accountability Act that was reported to the OCR by multiple hospitals in 2014.
The agreement calls for the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) to create a corrective action plan and to pay a $650,000 fine, reports natlawreview.com.
CHCS, which provides management and information technology to six skilled nursing facilities, was found to have violated the HIPAA Security Rule after an OCR investigation into the theft of an employee’s iPhone. The phone contained the protected health information (PHI) of 412 patients, including names, social security numbers, medications and diagnosis and treatment information. The company-issued device was unencrypted and not password protected.
RELATED: Boston Hospital’s Vendor Announces Patient Data Breach
Additionally, the OCR’s investigation found that CHCS had no policies addressing the removal of mobile devices with PHI from its facilities or action plans in the event of a security breach. CHCS also had no risk analysis or risk management plan.
Under the agreement, the office will monitor the company for two years to ensure HIPAA compliance CHCS must also conduct an extensive risk assessment and create written policies and procedures for handling PHI. Those policies will be reviewed for approval by the OCR within 150 days.
Business associates have been included in HIPAA since 2010 but have not traditionally been targeted by the OCR.
RELATED: OCR Sends Message to Healthcare Industry with 2 HIPAA Settlements