Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to pay $650,000 to settle potential HIPAA violations after the theft of a CHCS mobile device compromised the protected health information of hundreds of nursing home residents, according to the Department of Health and Human Services.
HHS said 412 people were affected by the combined breaches. The settlement includes the fine of $650,000 and a corrective action plan. Catholic Health Care provided management and information technology services as a business associate to six skilled nursing facilities, HHS said.
"Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities," said U.S. Department of Health and Human Services Office for Civil Rights Director Jocelyn Samuels. "This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule."
The Office for Civil Rights initiated its investigation on April 17, 2014, after receiving notification of the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected, HHS said.
The information on the iPhone was extensive, and included Social Security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.
At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing protected information from its facility or what to do in the event of a security incident. There was also no risk analysis or risk management plan, HHS said.
In determining the resolution amount, the Office of Civil Rights considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.
The office will monitor CHCS for two years as part of the settlement agreement.