In a landscape-shaping turn of events, the first HIPAA Business Associate has been required to face and pay a $650,000 fine due to its inability to safeguard protected health information (PHI) and electronic protected health information (ePHI). Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle and pay this substantial penalty after 412 individuals’ PHI was compromised because of the theft of an organization-issued mobile device which was not password protected. The compromised information belonged to nursing home patients from six nursing home facilities around Philadelphia.
The enormity of the fine stems from CHCS’ lack of controls in place to prevent an incident such as this. It was apparent to the Office of Civil Rights (OCR) during the investigation that CHCS had no formal policies discussing the removal of mobile devices containing PHI or the organization’s response to a security incident. In addition, it was noted by OCR that CHCS had not performed a risk analysis or implemented a risk management plan. All of these items are in violation of the HIPAA Security Rule. It appears that the compromised ePHI included Social Security numbers, diagnosis and treatment information, medical procedures, medication information and the names of family members and legal guardians.
In determining the resolution amount, OCR determined that “CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.” Had the organization not been deemed such a valuable service provider, the fines may have been even greater.
If you have any questions regarding OCR’s decision, the settlement, or the fine, please contact:
Michael Hammond, CISA, CISSP, CRISC, C|EH
Director, IT Audit Services at [email protected]
or
W. Jackson Schultz, CISA
Senior IT Audit & Security Consultant at [email protected]
