First Business Associate HIPAA Penalty Announced$650,000 Fine After Investigation of Breach Affecting Just 412 Patients
In the first HIPAA enforcement action against a business associate, federal regulators have smacked a nonprofit organization with a $650,000 penalty.
The move follows an investigation into the 2014 theft of an unencrypted smartphone that was not password protected. The theft potentially exposed information on just 412 patients at six Philadephia-area nursing homes.
The Department of Health and Human Services' Office for Civil Rights on June 29 announced the resolution agreement with Catholic Health Care Services of the Archdiocese of Philadelphia, which also includes a corrective action plan mandating a long list of security measures.
CHCS provided management and information technology services as a business associate to six skilled nursing facilities. Those facilities reported the breach to HHS in February 2014, triggering the OCR investigation.
Lack of Policies Cited
In a statement, OCR notes that during its investigation, it found that at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also concluded that CHCS had no risk analysis or risk management plan.
"Business associates must implement the protections of the HIPAA Security Rule for the electronic PHI they create, receive, maintain or transmit from covered entities," says Jocelyn Samuels, OCR director. "This includes an enterprisewide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule."
Data on the stolen iPhone "was extensive, and included Social Security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information," OCR notes.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, notes: "The business associate provided the mobile device to its employees, making the organization responsible for safeguarding any e-PHI stored on the device."
The best ways to protect mobile devices from breaches is to have them password protected and encrypt them in accordance with the HIPAA Security Rule's technical safeguards standards, Holtzman says. "Under the security rule, if a mobile device's encryption meets HIPAA standards and the device is lost or stolen, then there is no breach and the patients do not have to be notified."
A Strong Message
The resolution agreement with CHCS marks OCR's first enforcement action against a business associate since the HIPAA Omnibus Rule, which went into effect in 2013, made BAs directly liable for HIPAA compliance.
"OCR is sending a strong message that the honeymoon is over for business associates who have not taken the most rudimentary actions to put programs in place to safeguard the electronic PHI in their control," Holtzman says.
The action against CHCS "marks the opening of a new front in HIPAA enforcement by OCR," he adds. "When viewed alongside the threat of OCR HIPAA desk audits, business associates have new incentive to carefully review their information security practices."
OCR is rolling out phase two of its HIPAA compliance audits and plans to evaluate up to 250 covered entities and business associates in the coming months.
OCR settlement agreements often come two to three years after a security incident is reported, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "We will begin to see settlements with business associates interspersed with covered entity settlements in the coming years," he predicts.
Consistent with many past OCR resolution agreements with covered entities, the CHCS case focused on risk management concerns, Greene notes. Based on the settlement details, "OCR likely could have alleged other categories of violations," Greene says. "My suspicion is that OCR limited the alleged violations to send a message to business associates about the importance of these requirements, in particular."
A CHCS spokesman tells Information Security Media Group that the organization "reached a voluntary and amicable settlement" with OCR to resolve the situation. "There have been no reports of unauthorized access to patient information on the stolen iPhone, and all individuals that may have been affected were timely notified," the spokesman says. "Since the theft, CHCS has taken corrective measures and remains committed to complying with HIPAA and diligently safeguarding its clients' protected health information while serving the greater Philadelphia community."
Corrective Action Plan
The OCR resolution agreement includes a two-year corrective action plan in which CHCS agrees to take a number of measures to bolster its security practices, including:
- Conducting an annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI held by CHCS and documenting the security measures implemented;
- Developing, maintaining and revising written policies and procedures to comply with the federal standards that govern the security of individually identifiable health information.
The corrective action plan also notes a long list of issues that CHCS' security policies need to address, including encryption of ePHI, password management, security incident response, mobile device controls, log-in monitoring, data backup and disaster recovery, and audit and data integrity controls.
BAs Involved in Many Breaches
As of July 1, nearly 20 percent of the 1,595 breaches listed on OCR's "wall of shame" tally of major health data breaches involved business associates. But the real percentage is likely higher because a considerable number of breaches on the tally that involved BAs fail to spell out a BA connection.
For instance, as of July 1, at least 17 covered entities have reported breaches tied to a 2015 cyberattack on cloud-based electronic health records vendor Bizmatics Inc. But the reports of those breaches on the federal tally neglect to mention the involvement of a BA.
In one of the most recent BA-related breaches, Massachusetts General Hospital in Boston on June 29 began notifying about 4,300 patients of a breach involving the hospitals' dental practice management software vendor, Patterson Dental Supply Inc.
Covered entities and business associates must learn from the security mishaps of their peers, says Lysa Myers, a researcher at security services firm ESET.
"You're only as safe as your partner," she says. "Everyone involved with vendor management should develop a common, collaborative security strategy that includes layering new protections onto processes and policies to defend against information risk in the supply chain."
For instance, because so many data breaches involve unencrypted data, Myers says it's critical for covered entities to ask how vendors are protecting sensitive data.
"Working together, every department and manager involved with the supply chain and partner organizations can build a safe environment," she says. "Doing so before a cyberattack or accidental data breach occurs can close a critical gap in your organization's security posture."