Most of us have lost a smartphone or tablet, but most of us aren’t carrying around patient information. And if you are going to carry PHI (protected health information) you’d better make certain that you adequately protect that data.
That’s the lesson to come out of the settlement last week between the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) and the U.S. Department of Health and Human Services Office for Civil Rights (OCR).
The settlement includes a monetary payment of $650,000 and corrective action.
CHCS agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule after the theft of a CHCS mobile device. That device held the PHI of hundreds of nursing home residents. CHSC provides management and information technology services as a business associate to six nursing facilities.
According to the OCR, the total number of people affected by the breaches was 412.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain or transmit from covered entities,” confirmed U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels in a statement.
The OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone.
According to the OCR, the iPhone was unencrypted and not password protected. The information on the iPhone included Social Security numbers, diagnosis and treatment and medical information, medical procedures and names of family members and guardians. The OCR also determined that CHCS didn’t have policies in place to address the removal of mobile devices containing PHI from its facility, or what to do in the event of a security incident. It also had no risk analysis or risk management plan in place.
As part of the agreement, OCR will monitor CHCS for two years and help to ensure that CHCS remains compliant with its HIPAA obligations.
The Resolution Agreement and Corrective Action Plan can be seen here.
Such fines aren’t rare, as seen when last year a Massachusetts hospital settled a HIPAA violation by paying $218,000 for “permitting employees to use a Web-based file-sharing application to store patients’ protected health information.” Or, in July 2011, when the University of California at Los Angeles Health System agreed to settle an alleged HIPAA violation to the expense of $865,500.
But they can certainly be avoided. And “business associates” should take note.