$650,000 OCR Settlement Agreed by Philadelphia Business Associate

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle alleged HIPAA violations with the OCR and has agreed to put in place a Corrective Action Plan (CAP). CHCS will also pay a financial fine of $650,000.

CHCS is the sole corporate parent of six nursing centers – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing centers. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules.

In February 2014, each of the six nursing facilities filed a breach notice to the OCR regarding a violation of ePHI. On April 17, 2014, the OCR began an investigation into the breach.

A significant number of OCR investigations into ePHI breaches have shown failures to adhere with HIPAA administrative safeguards – specifically 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires covered bodies and their business associates to complete a comprehensive organization-wide risk analysis.

The purpose of the risk analysis is to find “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”  If a risk analysis is not completed ePHI may be at risk of being compromised, unbeknownst to the covered body or business associate.

OCR investigators found that CHCS had failed to complete a comprehensive risk analysis since September 23, 2013. CHCS also failed to put in place appropriate security measures to address dangers to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B).

The settlement will serve as a warning to all covered bodies and their business associates that the OCR will pursue civil monetary penalties for breaches of HIPAA Rules. With the second round of HIPAA compliance audits coming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is completed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be formulated and implemented to address any risks discovered during the risk analysis.

Any HIPAA covered body selected for audit will likely be asked to provide documentary evidence that shows that a risk analysis has been carried out and that a risk management plan has been executed.