HIPAA Penalty of $650,000 to Business Associate: OCR Means What It Says

Jul 5, 2016 | Blog

The Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services had advised for some time that it intended to focus on HIPAA Business Associates. The $650,000 penalty and two-year Corrective Action Plan  settled by Resolution Agreement of a penalty proceeding against Catholic Health Care Services (“CHCS”) of Philadelphia, announced July 1, 2016,  sends a strong statement that Business Associates are indeed squarely within OCR’s crosshairs this summer.

A HIPAA Business Associate is an individual or organization who accesses Protected Health Information (“PHI”) in order to perform a service for a HIPAA Covered Entity (healthcare provider, health plan or clearinghouse). Business Associates comprise a wide spectrum of services including IT, outsourced billing services, legal services, mobile health IT applications that access PHI, accountancy and consultancy for operations. Business Associates are required to comply with certain provisions of the HIPAA Security Rule to the same extent as Covered Entities.  IT was the area of focus in the CHCS proceeding.

CHCS had, at one time, owned the six nursing homes at issue. After selling them, CHCS retained a role in management and IT services for the nursing homes. The settlement of $650,000 perhaps appears outsized when the nature of the breach is considered: loss of an iPhone that was not password-protected or encrypted, and only 412 individuals affected. But there was more. The Resolution Agreement was reached after an investigation noted that determined CHCS as a Business Associate, had failed to meet the HIPAA requirements of a timely, documented Security Risk Analysis; had failed to document an incident response plan; and did not document a risk management plan with security policies concerning uses of mobile devices such as iPhones to store and transmit PHI (i.e., encryption and password protection).

OCR Director Jocelyn Samuels, in the press release concerning the settlement, noted OCR’s  focus on Business Associate compliance with HIPAA, stating “Business Associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Breaches such as the one here are all too common, and many Business Associates are not fully aware of the fact that they are squarely under the jurisdiction of OCR, or the consequences of failure to document adherence to the requirements of the HIPAA Security Rule. The $650,000 settlement will cost CHCS considerably more than that figure when compliance costs for the two-year Corrective Action Plan in the Settlement are calculated.

Proactive action by Business Associates to avoid such costly consequences is not just good financial sense. HIPAA requires it. If you have questions regarding HIPAA assessments and compliance for Business Associates, please contact Kenneth N. Rashbaum.