$650,000 OCR Settlement Agreed by Philadelphia Business Associate

July 1, 2016 Patrick Kennedy HIPAA Updates Comments Off

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle alleged HIPAA violations with the OCR and has agreed to put in place a Corrective Action Plan (CAP). CHCS will also pay a financial fine of $650,000.

CHCS is the sole corporate parent of six nursing centers – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing centers. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules.

In February 2014, each of the six nursing facilities filed a breach notice to the OCR regarding a violation of ePHI. On April 17, 2014, the OCR began an investigation into the breach.

A significant number of OCR investigations into ePHI breaches have shown failures to adhere with HIPAA administrative safeguards – specifically 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires covered bodies and their business associates to complete a comprehensive organization-wide risk analysis.

The purpose of the risk analysis is to find “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” If a risk analysis is not completed ePHI may be at risk of being compromised, unbeknownst to the covered body or business associate.

OCR investigators found that CHCS had failed to complete a comprehensive risk analysis since September 23, 2013. CHCS also failed to put in place appropriate security measures to address dangers to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B).

The settlement will serve as a warning to all covered bodies and their business associates that the OCR will pursue civil monetary penalties for breaches of HIPAA Rules. With the second round of HIPAA compliance audits coming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is completed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be formulated and implemented to address any risks discovered during the risk analysis.

Any HIPAA covered body selected for audit will likely be asked to provide documentary evidence that shows that a risk analysis has been carried out and that a risk management plan has been executed.

About Patrick Kennedy 619 Articles

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/