Catholic Health Care Services agreed to settle the case, in which federal authorities determined they lacked a proper system for safeguarding sensitive patient data.

Aldrin Brown, Editor-in-Chief

July 11, 2016

2 Min Read
IT Services Provider Pays 650K HIPAA Breach Fine

There’s no longer much question about whether federal health authorities are serious about cracking down on technology solutions providers that don’t take cybersecurity seriously.

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to pay $650,000 to settle “potential violations” of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), after patient data was stolen from a smartphone.

Mishandling HIPAA-protected data has generated more than $9 million in fines this year alone, federal authorities reported.

By providing management and information technology services to six skilled nursing facilities, CHCS is deemed a “Business Associate,” under HIPAA laws.

Business Associates of “covered entities” can be held liable in the event of a breach or violation.

“Business Associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

The Office of Civil Rights (OCR) launched a probe in April of 2014, after receiving a report that a CHCS-issued iPhone had been breached.

Investigators determined that protected health information (PHI) belonging to 412 nursing home residents was illegally obtained, including social security numbers, diagnoses and treatments, medical procedures, and names of relatives and medications.

“The iPhone was unencrypted and was not password protected,” HHS officials said in a statement announcing the settlement.

“At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident,” the statement continued. “OCR also determined that CHCS had no risk analysis or risk management plan.”

Liability costs under HIPAA rules has become a growing concern for technology solutions providers in recent years.

Medical digitization requirements prompted by the Affordable Care Act offer lucrative new veins of revenue in the healthcare vertical.

But MSPs and other solutions providers must weigh the market opportunity against the risk of criminal penalties, lawsuits or civil fines as high as $1.5 million per breach for mishandling PHI.

Last March, Federal health authorities launched random audits – the second such round – aimed at assessing the compliance of covered entities, MSPs and other business associates with HIPAA privacy laws.

In determining the CHCS penalty, federal authorities say they took into consideration that the firm provides important health services in the Philadelphia area that benefit the elderly, developmentally disabled, foster care recipients and those living with HIV/AIDS.

The agreement, dated June 24, also includes a corrective action plan.

“OCR will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a Business Associate,” the government’s statement said.

 

Send tips and news to [email protected].

Read more about:

MSPsMSP 501

About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.

 

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like