Catholic Health Care Services agreed to settle the case, in which federal authorities determined they lacked a proper system for safeguarding sensitive patient data.
There’s no longer much question about whether federal health authorities are serious about cracking down on technology solutions providers that don’t take cybersecurity seriously.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to pay $650,000 to settle “potential violations” of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), after patient data was stolen from a smartphone.
Mishandling HIPAA-protected data has generated more than $9 million in fines this year alone, federal authorities reported.
By providing management and information technology services to six skilled nursing facilities, CHCS is deemed a “Business Associate,” under HIPAA laws
Business Associates of “covered entities” can be held liable in the event of a breach or violation.
“Business Associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
The Office of Civil Rights (OCR) launched a probe in April of 2014, after receiving a report that a CHCS-issued iPhone had been breached.
Investigators determined that protected health information (PHI) belonging to 412 nursing home residents was illegally obtained, including social security numbers, diagnoses and treatments, medical procedures, and names of relatives and medications.
“The iPhone was unencrypted and was not password protected,” HHS officials said in a statement announcing the settlement.
“At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident,” the statement continued. “OCR also determined that CHCS had no risk analysis or risk management plan.”
Liability costs under HIPAA rules has become a growing concern for technology solutions providers in recent years.
Medical digitization requirements prompted by the Affordable Care Act offer lucrative new veins of revenue in the healthcare vertical.
But MSPs and other solutions providers must weigh the market opportunity against the risk of criminal penalties, lawsuits or civil fines as high as $1.5 million per breach for mishandling PHI.
Last March, Federal health authorities launched random audits – the second such round – aimed at assessing the compliance of covered entities, MSPs and other business associates with HIPAA privacy laws.
In determining the CHCS penalty, federal authorities say they took into consideration that the firm provides important health services in the Philadelphia area that benefit the elderly, developmentally disabled, foster care recipients and those living with HIV/AIDS.
The agreement, dated June 24, also includes a corrective action plan.
“OCR will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a Business Associate,” the government’s statement said.