By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Potentially lost in the week leading up to the July 4th holiday weekend, the Office for Civil Rights (OCR) announced its latest HIPAA related breach settlement. The settlement is one of the first directed at a business associate and serves as a pointed reminder that business associates may be directly liable for the breaches that they may cause.
The settlement required Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) to pay $650,000 to the government and enter into a Resolution Agreement. CHCS was the sole corporate parent to six skilled nursing facilities and also provided management services to each of the facilities. In its management services role, CHCS received and maintained protected health information (PHI) for or on behalf of each facility.
In February 2014 OCR received a breach notice from each of the six facilities. The reports indicated that unsecured PHI had been breached. During the ensuing investigation, OCR discovered the unencrypted PHI was stored on an iPhone that was lost. The PHI included patient names, social security numbers, diagnosis and treatment information, medical procedures, medications, and family member names. The scope of information, as demonstrated, was fairly extensive. Although, it is interesting to note that OCR’s news announcement identified CHCS’s “unique and much-needed services” as having been taken into consideration when setting the resolution amount.
OCR’s investigation discovered that CHCS did not have a policy addressing removal of mobile devices from its facilities or storage of PHI on mobile devices. In what has been an all too common theme, OCR also determined that CHCS had not conducted the required extensive risk analysis or implemented a risk management plan. Such an outcome seems to be the almost typical result following an OCR investigation. Accordingly, it is then not surprising that CHCS received what in all likelihood was a substantial penalty for its organization.
Even though business associates should have been aware of the necessity of complying with HIPAA requirements and the potential for penalties following the finalization and implementation of the 2013 Omnibus Rule, the CHCS settlement clearly puts business associates on notice. It is no longer a theoretical assumption that business associates will be subject to OCR penalties. Now, business associates are directly under consideration and will be held responsible for their actions.
The business associate focused settlement also serves as a reminder that they are included in the new HIPAA audits. Even though covered entities are the sole subjects of the first round of desk audits, each covered entity will is required to submit a list of each and every business associate that that covered entity engaged. OCR will use the resulting database to help determine which business associates will be included in the first desk audits of business associates.
Top OCR officials have stated that the audits are predominantly for educational purposes. However, the educational posture will not preclude OCR from pushing entities into a compliance review if deliberate disregard or willful ignorance for compliance requirements is uncovered. If such circumstances are found, then an entity may become subject to potential penalties or resolution amounts. Given all of the settlements and guidance about the necessity for a comprehensive risk analysis and the fact that a risk analysis is one of the compliance elements to be reviewed in the desk audits, organizations must be prepared on that front. Failure to do so at this point in time may be inexcusable.
The statement by OCR that it considered the nature of CHCS’s services when setting the resolution amount is informative. Prior to this settlement, the manner in which OCR set the penalties or resolution amounts had been the subject of much speculation. Where the amounts random, where specific circumstances taken into account, where bank accounts examined, or was the amount set by some arcane methodology. The CHCS settlement suggests that OCR is setting resolution amounts on a case by case basis in light of an entity’s specific circumstances. As implied by OCR, CHCS did not face a higher penalty because the overall mission of CHCS did not want to be harmed by taking money away from arguably essential services in its area.
As with all of the recent OCR settlements, the CHCS settlement should be utilized as a learning opportunity. Business associates cannot sit back and think that OCR will not investigate or fine them. If a business associate causes a breach, it is certain that a report of the incident will make it to OCR in some manner. As set out in the HIPAA regulations, business associates are responsible for their actions and there will be money behind that promise.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.