Organizations that provide services to entities handling personal health information and health records—like doctors offices and hospitals—for some time now have been required to comply with the security and privacy requirements of the Health Information Portability and Accountability Act (HIPAA).
But thus far, the Office of Civil Rights (OCR) at the US Department of Health and Human Services, which is responsible for administering the rules, has taken few steps to enforce HIPAA.
That may finally be changing.
The OCR recently reached a settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) over the 2014 theft of a mobile device containing unencrypted protected health data on over 400 hundred patients at a nursing home.
The settlement requires CHCS to pay a $650,000 fine and adopt a corrective action plan to protect against something similar happening again. The plan calls on CHCS to implement formal risk analysis and risk management procedures and to develop and maintain a written security policy covering topics like data encryption, password management, incident response, device control, log-in monitoring, and disaster recovery.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said Jocelyn Samuels, director of the OCR in a statement announcing the settlement.
CHCS provides living services like housing, care management, and in-support programs for seniors in the Philadelphia area. It is the first business associate—or organization that provides services to HIPAA-covered entities—to face enforcement action for a security violation under the statute.
Odia Kagan, an attorney with the law firm Ballard Spahr LLP in Philadelphia, says the OCR enforcement action highlights the need for business associates to properly address how they handle protected health information (PHI) under HIPAA.
“They should conduct periodic risk assessments to ascertain the vulnerabilities to PHI going through their systems, both externally and internally,” Kagan says. In addition they should make sure to implement written policies and procedures for protecting the confidentiality, integrity, and availability of PHI in their systems, she says.
Going forward, business associates should expect more such audits and enforcement action from the OCR — and it won’t always take a breach to initiate one, Kagan cautions.
The OCR recently launched Phase 2 of its HIPAA audit program and it has already sent out emails to some 167 covered entities notifying them of being selected for a formal desk audit, she says. The desk audits will focus on how well the covered entities have complied with requirements like making privacy notices available to patients, the access they provide to PHI, the timeliness and content of their breach notifications, and whether they conduct periodic audits of business associate compliance.
According to the OCR, the second phase of its HIPAA audit program scheduled for later this year will involve not only covered entities but also their business partners, Kagan says.
Such developments should encourage business associates to pay attention not just to the prospect of an audit but also to the likely outcome of one. “If business associates adequately prepare by taking the right steps to protect PHI, they would be well positioned to do well in an audit, even if one does occur,” she says.