Business Associate’s Failure to Protect Patient PHI Leads to $650,000 HIPAA Penalty Just Weeks before Phase 2 HIPAA Audits Kick into High Gear… Coincidence? We Think Not.

After a two year long investigation on the theft of an unencrypted smartphone with no password protection, the Department of Health and Human Services' Office for Civil Rights (OCR) announced the first ever Business Associate HIPAA penalty. Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia was hit with a $650,000 penalty for the potential exposure of 412 patients’ information at six Philadelphia-area nursing homes back in 2014. OCR shared that data on the stolen employee-issued smartphone "was extensive, and included Social Security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information."

In addition to the monetary penalty, the OCR and CHCS also agreed upon a corrective action plan mandating an extensive list of security measures. During the investigation, it was discovered that CHCS (at the time of the incident) had no policies addressing the removal of mobile devices containing personal health information (PHI) from its faculty or what actions to take in the response to a security breach. In addition, it was found the CHCS had no risk analysis or risk management plan in place.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels.  “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule,” she adds.

Who’s Next?

Phase 2 of OCR’s HIPAA audit program has officially been underway for a few months now, but selected covered entities received notification letters via email on Monday, July 11, 2016 regarding their inclusion in the desk audit portion of the program. While conducting desk audits of covered entities, OCR will replicate the notification and document request process for initiating desk audits of selected business associates in the fall of this year.

Since the 2013 release of the HIPAA Omnibus Rule, which ruled business associates liable for HIPAA non-compliance, it has become more evident that business associates have been vastly involved in some of the largest healthcare data breaches to date.

According to HealthcareInfoSecurity Executive Editor, Marianne Kolbasuk McGee, as of July 1, 2016 nearly 20 percent of the 1,595 breaches listed on OCR's "wall of shame" tally of major health data breaches involved business associates. She adds that the real percentage is possibly higher due to a significant number of breaches that involved business associates that fail to make a business associate connection.

With the announcement of CHCS’s punitive HIPAA penalty and the upcoming promised desk audits for business associates, it is clear that OCR is making a strong statement about their concern of the current state of business associate’s information security practices. Business associates, now more than ever, must make it a priority to have the appropriate security, privacy and compliance programs in place.

How are you protecting sensitive data?

As Business Associates continue to grapple with full compliance with the HIPAA Security and Privacy Rules as well as the growing mandates by their customers to demonstrate the highest levels of information security assurance, a clear framework, roadmap and performance measurement criteria for information security and compliance management are critical.

The HITRUST Common Security Framework (CSF) is the leading information security framework for the healthcare industry. The CSF was created by healthcare, technology, information security, privacy and compliance leaders, and combines requirements from both existing federal and third-party standards and regulations. HITRUST Certification will facilitate a thorough evaluation and documentation of current state compliance and will enable new baselines and roadmaps for information assurance management.

With the number of breaches increasing every day and organized targeting of healthcare data; the industry has been forced to ensure a higher level of security, privacy and compliance. The HITRUST CSF has already become the “gold standard” in the healthcare industry for measuring and certifying your security management program. Achieving a HITRUST Certification means that your program has reached a maturity level equivalent to the most rigorous standards in the industry. This is why healthcare insurance companies (payers), as well as an increasing number of healthcare systems and hospitals, are requiring their Business Associates to attain a HITRUST certification.

BluePrint Healthcare IT is the longest tenured 100% healthcare-focused HITRUST Certified Assessor. BluePrint has taken Business Associates through the certification process while helping them to simplify the complexities of HITRUST through our depth, experience, proven methodology, client partnerships and purpose-built tools to complement and streamline the use of the MyCSF portal.

Visit to learn more or contact Pamela Hayduk to begin your HITRUST Certification journey today.