Catholic Organization Hit With $650,000 HIPAA Fine For Data Breach

Register now

The HHS Office for Civil Rights has levied a $650,000 fine and a corrective action plan against Catholic Health Care Services, a business associate of the Archdiocese of Philadelphia.

Such enforcement actions, with more than 30 others already imposed across the industry, are done when a HIPAA-covered entity or business associate of a healthcare organization is found to have substantially ignored the HIPAA Security Rule. In this case, OCR in February 2014 received notifications of a breach from each of six nursing homes that Catholic Health Care Services operated.

The breaches resulted from theft of an iPhone that was not encrypted or password protected; the device held such sensitive information as Social Security numbers, diagnosis and treatment, medical procedures, names of family members and legal guardians, and medications, according to OCR.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain or transmit from covered entities,” OCR Director Jocelyn Samuels said in a statement. “This includes an enterprisewide risk analysis and corresponding risk management plan, which is the cornerstone of the HIPAA Security Rule.”

In a formal agreement on the matter, Catholic Health Care Services did not deny the allegations. Its resolution agreement that includes a two-year corrective action plan; it acknowledged its obligations to implement risk analysis and risk management plans, as well as a long list of policies and procedures that have not previously been adopted.

These include policies and procedures covering encryption of electronic protected health information, password management, security incident response, mobile device controls, information system reviews, security reminders, log-in monitoring, data backup plan, disaster recovery plan, contingency plans, data criticality analysis, automatic log off, audit controls and integrity controls.

During this period, any failures of compliance with the policies and procedures among workforce members of Catholic Health Care Services shall be considered events reportable to OCR, along with plans to mitigate the issue.

(This article appears courtesy of our sister publication, Health Data Management)

For reprint and licensing requests for this article, click here.