$650,000 OCR Settlement Agreed by Philadelphia Business Associate

by Ryan Coyne | Jul 1, 2016

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle alleged HIPAA violations with the OCR and has agreed to put in place a Corrective Action Plan (CAP). CHCS will also pay a financial fine of $650,000.

CHCS is the sole corporate parent of six nursing centers – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing centers. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules.

In February 2014, each of the six nursing facilities filed a breach notice to the OCR regarding a violation of ePHI. On April 17, 2014, the OCR began an investigation into the breach.

A significant number of OCR investigations into ePHI breaches have shown failures to adhere with HIPAA administrative safeguards – specifically 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires covered bodies and their business associates to complete a comprehensive organization-wide risk analysis.

The purpose of the risk analysis is to find “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” If a risk analysis is not completed ePHI may be at risk of being compromised, unbeknownst to the covered body or business associate.

OCR investigators found that CHCS had failed to complete a comprehensive risk analysis since September 23, 2013. CHCS also failed to put in place appropriate security measures to address dangers to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B).

The settlement will serve as a warning to all covered bodies and their business associates that the OCR will pursue civil monetary penalties for breaches of HIPAA Rules. With the second round of HIPAA compliance audits coming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is completed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be formulated and implemented to address any risks discovered during the risk analysis.

Any HIPAA covered body selected for audit will likely be asked to provide documentary evidence that shows that a risk analysis has been carried out and that a risk management plan has been executed.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter