On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).

CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a “business associate” under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.

Click here to read our complete WSGR Alert on the enforcement action.