HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

Alerts

July 7, 2016

On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.¹As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).

Background

CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a "business associate" under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.

CAP Requirements

In addition to the $650,000 payment, CHCS is required to conduct an initial and annual data security risk assessment and document the security measures it has implemented to sufficiently reduce any identified risks. CHCS must also develop the written policies, procedures, and training required by the Security Rule, provide them to HHS for review and approval, revise them as requested by HHS, and implement the revised policies, procedures, and training.²CHCS is required to provide the updated policies, procedures, and training to all workforce members and obtain their compliance certification.

To help ensure continued HIPAA compliance, HHS will monitor CHCS's compliance with these CAP requirements for two years. CHCS will need to update its policies and procedures at least annually and provide those updated policies to HHS for review. CHCS must also notify HHS of any workforce noncompliance with its HIPAA-related policies and procedures.

Implications

Since the release of the HIPAA Final Omnibus Rule in early 2013, HHS has held business associates directly responsible for complying with certain HIPAA requirements, including the Security Rule. Although HHS has been slow to bring enforcement actions against business associates, the agency has taken several steps—in addition to this enforcement action against CHCS—signaling much more interest in compliance by business associates.

Earlier this year, HHS highlighted the importance of business associate agreements (BAAs) in two enforcement actions against HIPAA-covered entities (e.g., health care providers, health plans, and health care clearinghouses).³For example, in its investigation of Raleigh Orthopaedic Clinic, HHS found that the clinic provided protected health information for approximately 17,300 patients to a business associate without a BAA in place. HHS stated that the lack of a BAA meant that sensitive health information was left without certain safeguards and vulnerable to misuse or improper disclosure.

In addition, in March 2016, HHS launched its HIPAA-compliance audit program of covered entities and business associates.⁴HHS will first perform desk audits of randomly selected covered entities and expects to perform desk audits of randomly selected business associates thereafter.⁵

In response to these initiatives, business associates should assess their HIPAA compliance efforts and update their compliance policies and procedures as needed. Doing so sooner rather than later is important, as HHS has indicated that it will require prompt responses to its requests made during its audits—according to HHS, organizations must respond to HHS within 10 business days of its document requests.⁶

Wilson Sonsini routinely helps HIPAA business associates with privacy and data security matters, including HIPAA Security Rule compliance and other HIPAA-related issues. For more information, please contact Lydia Parnes or another member of the firm's privacy and cybersecurity practice.

¹The press release and settlement agreement are available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html.

²The policies must, at minimum, cover the following topics: encryption of electronic protected health information, password management, security incident response, mobile device controls, information system review, security reminders, log-in monitoring, data backup, disaster recovery, emergency mode operation, testing and revising of contingency plans, application and data criticality analysis, automatic log off, audit controls, and integrity controls.

³See the two settlements at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic/index.html and http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/north-memorial-health-care/index.html.

⁴See "No More Crying Wolf—HIPAA Audits Coming in 2016," The Wilson Sonsini Data Advisor, November 2015, https://www.wsgr.com/publications/PDFSearch/the-data-advisor/Nov2015/#8.

⁵For more information about the audit program, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html#program.

⁶See more information about the HIPAA audits at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/#timeline.

Contributors

Lydia B. Parnes