Practitioners advising clients regarding HIPAA Business Associate Agreements would be wise to take notice of a recent settlement by the Office of Civil Rights (OCR). On June 30, OCR announced the first HIPAA settlement agreement with a business associate. This follows recent settlements with two HIPAA covered entities under HIPAA due, in large part, to the absence of a Business Associate Agreement (BAA) with third-party vendors handling patient Protected Health Information.
In this first business associate settlement, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle what OCR determined were potential violations of the HIPAA Security Rule. As with prior settlements with covered entities, this settlement mandates both a 2-year corrective action plan and a monetary payment (assessed at $650,000 in this case).
In its role as a business associate, CHCS provided both management and information technology services for six skilled nursing facilities. The breach of the Security Rule occurred when an unencrypted smartphone was stolen from a CHCS employee. The stolen phone contained a wide variety of PHI for 412 nursing home residents including: social security numbers, diagnosis and treatment information, names of family members and guardians, and medication information. As part of its investigation, OCR determined that CHCS failed to take steps to assess the risks posed by its handling of PHI and had inadequate security protocols in place to minimize the risk of PHI disclosure.
Through this settlement, OCR sent a strong message that HIPAA enforcement is not limited to directly covered entities, but will also be imposed on all business associates that work with those entities. The OCR director stated that business associates must conduct “…enterprise-wide risk analysis” and maintain a “corresponding risk management plan” in order to comply with the HIPAA Security Rule. It is worth noting that, though this breach actually occurred during the time when CHCS owned the nursing homes, OCR chose to describe this as a settlement with a business associate—perhaps to underscore the importance of business associate compliance.
Under BAA contractual obligations, business associates are specifically required to comply with the provisions of the HIPAA Security Rule and the corollary Breach Notification Rules. Thus, practitioners should advise business associates of all types should take advance steps to ensure compliance so they will be prepared in the event of an OCR audit or investigation.
Matt Fisher represents health care providers in certificate of need law and privacy. His privacy practice involves representing clients on their responsibilities with health information, whether they are acting as an employer, a health plan sponsor, a health care provider, an insurer, a business associate, a vendor of personal health records, or otherwise.