Interactive Counsel

Arent Fox's interactive media law blog - latest news and trends in advertising, data security & privacy, and IP.

Interactive Counsel

Business Associates Beware! HHS Levies First HIPAA Fines on Business Associate

alert

Business Associates Beware! HHS Levies First HIPAA Fines on Business Associate

On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS). This is HHS’ first resolution agreement and monetary penalty against a business associate (BA) under HIPAA.
 
CHCS provides management and IT services to nursing facilities as a BA. The alleged HIPAA violations arose from theft of a CHCS mobile device, compromising 412 nursing home residents’ protected health information (PHI). HHS’ investigation results indicate that CHCS failed to (1) conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI, and (2) implement appropriate security measures to reduce such risks and vulnerabilities, in violation of HIPAA’s Security Rule.
 
Under the settlement, CHCS has agreed to pay HHS $650,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires CHCS to conduct an accurate and thorough security risk assessment; develop, maintain, and implement comprehensive security policies and procedures; educate its workforce on such policies and procedures and train them on security issues; report internal violations of its security policies and procedures to HHS; provide copies of its BA agreements to HHS; maintain compliance records for a period of 6 years; and submit annual compliance reports to HHS.
 
HHS continues to ramp-up its HIPAA enforcement activities. This case is surely just the first of many enforcement actions against BAs, especially since HHS will start conducting its HIPAA compliance audits of select BAs this fall under Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program (previously discussed on Arent Fox’s Health Care Counsel blog here, here, and here). As a result, businesses that provide goods and services to covered entities (and to BAs) and may come into contact with PHI should carefully assess whether they are subject to HIPAA as a BA. If so, they should have a rigorous HIPAA compliance program in place.
 
Arent Fox’s Cybersecurity & Data Protection and Health Care groups monitor developments in the healthcare data protection field and regularly advise clients on compliance with HIPAA and other data security requirements. If you have any questions about the topic covered here or other matters, please contact Sarah L. Bruno, Jade Kelly, and Lourdes M. Turrecha in our San Francisco office; Samuel Cohen in our Washington, D.C. office, Thomas Jeffry in our Los Angeles office, or the Arent Fox professional who normally handles your matters.

SUBSCRIBE

Add this blog to your RSS feed reader.

Arent Fox In Your Inbox
To subscribe to Arent Fox Alerts and other news, click here.

ABOUT ARENT FOX LLP

Arent Fox LLP, founded in 1942, is internationally recognized in core practice areas where business and government intersect. With more than 350 lawyers, the firm provides strategic legal counsel and multidisciplinary solutions to clients that range from Fortune 500 corporations to trade associations. The firm has offices in Los Angeles, New York, San Francisco, and Washington, DC.