A wide range of businesses outside the healthcare industry perform services for health care providers and have access to Protected Health Information (PHI). If so, that business is considered a Business Associate and may have been, or will be, required to sign a Business Associate Agreement by the health care provider it does business with. Business Associates have a responsibility to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and specifically with HIPAA’s Security Rule. The Security rule requires Business Associates to implement administrative, physical, and technical safeguards. In addition, it imposes other organizational requirements and a need to document processes analogous to HIPAA’s Privacy Rule.
Oversight and enforcement of HIPAA compliance for Business Associates falls under the Department of Health and Human Services Office for Civil Rights (OCR). Even though OCR has had this authority since 2009, the summer of 2016 marks the first time a Business Associate has entered into a Resolution Agreement and paid a significant financial settlement following a HIPAA violation.
The settlement in question was levied on June 24, 2016 against Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) following an investigation that commenced on April 17, 2014. The investigation was launched in response to a notice that was provided to OCR following the September 2013 theft of an iPhone which had been issued to a CHCS employee. The stolen iPhone held a large amount of PHI from 412 patients residing at six nursing homes managed by CHCS. Despite holding this PHI, the stolen iPhone was not protected by encryption or even a password. In the course of its investigation, OCR determined that in addition to failing to encrypt or password protect the iPhone, CHCS had also failed to enact an appropriate HIPAA security compliance plan including the requirement to conduct a security risk assessment as required by the HIPAA Security Rule.
As a result of the settlement, CHCS will pay $650,000 and enter into a Corrective Action Plan. The Corrective Action Plan requires the organization to correct the deficiencies in its HIPAA Compliance Plan and will also subject it to monitoring by OCR for a period of two years. For more details about the Resolution Agreement and the Corrective Action Plan, see http://www.hhs.gov/sites/default/files/chcs-racap-final.pdf.
This settlement serves as a strong reminder that compliance with HIPAA is as important for Business Associates as it is for the health care providers that the Business Associates serve. It is essential for a Business Associate to takes its role seriously. This means implementing a HIPAA Compliance Plan that addresses the privacy and security of patient data received from the health care provider, training the workforce on the Compliance Plan, conducting a security risk assessment, and adapting policies and procedures as necessary to address deficiencies discovered by the security risk assessment.
Your Houston Harbaugh attorneys have developed tools and materials to assist Business Associates in developing a comprehensive HIPAA Compliance Plan and are available to assist you.
In order to navigate the complicated and ever-changing laws surrounding health care and your business, you need attorneys who understand your challenges. The Pittsburgh health care lawyers at Houston Harbaugh, P.C., have the knowledge and experience to help you manage everyday issues, as well as plan for the future.
Jessica A. Ellel - Practice Chair
Chair of Houston Harbaugh’s Health Law Practice, Jessica works almost exclusively with health care entities and health practitioners. She has extensive experience with:
- Drafting and negotiating physician employment agreements from both the physician and employer perspectives
- Negotiating contracts between physicians and hospitals
- Preparing purchase agreements to govern the sale of medical practices
- Advising on corporate governance issues, from practice formation to dissolution
- Developing comprehensive compliance plans for physician practices, hospitals, third-party billing administrators, and other health care and related entities
- Organizing strategies for compliance with fraud and abuse laws
- Addressing HIPAA compliance
Jessica is especially well-versed in HIPAA compliance and authors numerous client updates and bulletins on the subject. She conducts on-site and remote HIPAA training and also maintains Houston Harbaugh’s HIPAA compliance manual, ” Federal HIPAA Privacy Standards Simplified: A Comprehensive Tool-Kit”.