On June 30, the Office of Civil Rights (OCR) announced the first
HIPAA settlement agreement with a business associate. This follows
recent settlements with two HIPAA covered entities due, in large
part, to the absence of a business associate agreement (BAA) with
third-party vendors handling patient protected health information
In this first business associate settlement, Catholic Health
Care Services of the Archdiocese of Philadelphia (CHCS) agreed to
settle what OCR determined were potential violations of the HIPAA
Security Rule. As with prior settlements with covered entities,
this settlement mandates both a two-year corrective action plan and
a monetary payment (assessed at $650,000 in this case).
In its role as a business associate, CHCS provided both
management and information technology services for six skilled
nursing facilities. The breach of the security rule occurred when
an unencrypted smartphone was stolen from a CHCS employee. The
stolen phone contained a wide variety of PHI for 412 nursing home
residents, including Social Security numbers, diagnosis and
treatment information, names of family members and guardians, and
medication information. As part of its investigation, OCR
determined that CHCS had failed to take steps to assess the risks
posed by its handling of PHI and had inadequate security protocols
in place to minimize the risk of PHI disclosure. Through this
settlement, OCR sent a strong message that HIPAA enforcement is not
limited to directly covered entities, but will also be imposed on
all business associates that work with those entities. The OCR
director stated business associates must conduct
"enterprisewide risk analysis" and maintain a
"corresponding risk management plan" in order to comply
with the HIPAA Security Rule. It is worth noting that, though this
breach actually occurred during the time when CHCS owned the
nursing homes, OCR chose to describe this as a settlement with a
business associate—perhaps to underscore the importance of
business associate compliance.
Under BAA contractual obligations, business associates are
specifically required to comply with the provisions of the HIPAA
Security Rule and the corollary Breach Notification Rules. Thus,
business associates of all types should take advance steps to
ensure compliance so they will be prepared in the event of an OCR
audit or investigation.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is "Probably". (You expected anything else?)
On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI and Amazon EU Sŕrl, a subsidiary of Amazon registered in Luxembourg.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).