Message sent and received: First HIPAA settlement involving a business associate – a cautionary tale
The math is eye-opening — a $650,000 settlement for breach affecting 412 people. In the first HIPAA settlement involving a “business associate,” HHS’s Office of Civil Rights (OCR) has sent a strong message to all business associates about the importance of complying with HIPAA’s privacy and security rules.
Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provides management and information technology services to skilled nursing facilities, is a business associate under HIPAA because performed certain services using protected health information (PHI) on behalf of a HIPAA “covered entity” (a description of covered entities is here and a description of business associates is here). In 2014 a smartphone provided by CHCS to an employee was stolen. The smartphone had PHI of 412 patients and was neither encrypted nor password-protected. It is not clear whether the PHI on the phone was seen, but it included Social Security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. CHCS reported the breach to HHS, and OCR began an investigation.
OCR’s investigation revealed that:
- CHCS did not have policies governing the removal of mobile devices containing PHI from its premises;
- CHCS did not have an incident response plan to guide its actions after a security incident; and
- More generally, CHCS had no risk analysis or risk management plan.
OCR subsequently commenced an enforcement action against CHCS, and the parties settled the action with the $650,000 penalty and CHCS’s adoption of a two-year Corrective Action Plan. The CAP requires CHCS to improve its security practices by, among other things:
- Conducting an annual assessment of the risks relating to the electronic PHI held by CHCS;
- Documenting the security measures taken to address those risks; and
- Developing and implementing written policies and procedures that address compliance with HIPAA’s privacy and security rules.
The CAP includes matters that CHCS must address, including encryption of electronic PHI, password management, incident response, control of mobile devices, monitoring of access to sensitive data, data backup and disaster recovery, and audit and data integrity controls.
The settlement demonstrates OCR’s intent to put its regulatory finger on the conceptual balance scale that organizations use in deciding where to invest their cyber risk management dollars. The NIST Framework and other cybersecurity advisories recommend that organizations choose their priorities based on their particular profiles: the nature and amount of their information and network assets, their risk exposures, their budgetary and operational realities, and their business goals. A business associate without access to large amounts of PHI, using widely available cost-per-record calculators, might conclude that it faces little financial exposure from the breach of a few hundreds or thousands of records and direct its cyber risk management investments accordingly. The CHCS enforcement action reflects OCR’s desire to change that calculus, so that business associates give considerable weight to measures that will help make the breach of any PHI less likely.
In politics, they say it’s not the lie that causes the most damage – it’s the cover-up. As the CHCS enforcement action and settlement demonstrate, with HIPAA, it’s often not the breach that causes the most pain — it’s the failure to have done a thorough risk analysis and implement an appropriate risk management plan. The immediate costs of dealing with a breach (legal and forensic investigation fees, notification and credit/identity theft protection, etc.) are bad enough; the longer-term costs of a harsh regulatory and public spotlight, financial penalties, ongoing scrutiny and a damaged reputation will make matters significantly worse. Business associates should therefore make sure that the cyber risk management choices they make are based on an organization-wide risk analysis, documented in policies and procedures, and implemented with diligence appropriate to the sensitivity of the information at risk.
About the Author
John Doernberg is an Area Vice President at Arthur J. Gallagher. He works with inside and outside counsel as a Claims Advocate for Gallagher clients on policy negotiation and the handling and settlement of claims. and is a resource on privacy, information security and risk management issues. Prior to becoming an insurance broker in 1995, he practiced corporate law in New York and Boston for 12 years.