On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000.
CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules.
In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach.
A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45 C.F.R. § 164.308(a)(1)(ii)(A). This implementation specification requires covered entities and their business associates to perform a comprehensive organization-wide risk analysis.
The purpose of the risk analysis is to identify “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” If a risk analysis is not performed ePHI may be at risk of being compromised, unbeknown to the covered entity or business associate.
OCR investigators determined that CHCS had failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B).
The settlement should serve as a warning to all covered entities and their business associates that the OCR will pursue civil monetary penalties for violations of HIPAA Rules. With the second round of HIPAA compliance audits looming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is performed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be developed and implemented to remediate any risks discovered during the risk analysis.
Any HIPAA covered entity selected for audit will likely be asked to provide documentary evidence that demonstrates that a risk analysis has been conducted and that a risk management plan has been executed.