HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000.

CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules.

In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach.

A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires covered entities and their business associates to perform a comprehensive organization-wide risk analysis.

Please see the HIPAA Journal Privacy Policy

The purpose of the risk analysis is to identify “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”  If a risk analysis is not performed ePHI may be at risk of being compromised, unbeknown to the covered entity or business associate.

OCR investigators determined that CHCS had failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B).

The settlement should serve as a warning to all covered entities and their business associates that the OCR will pursue civil monetary penalties for violations of HIPAA Rules. With the second round of HIPAA compliance audits looming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is performed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be developed and implemented to remediate any risks discovered during the risk analysis.

Any HIPAA covered entity selected for audit will likely be asked to provide documentary evidence that demonstrates that a risk analysis has been conducted and that a risk management plan has been executed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.