Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle potential HIPAA violations for $650,000 and implement a corrective action plan after a theft of a mobile device compromised the protected health information of 412 nursing home residents.
HHS' Office for Civil Rights began investigating CHCS in April 2014 after learning a CHCS-issued employee iPhone had been stolen. The iPhone was neither encrypted nor password-protected and contained sensitive information, including Social Security numbers, diagnosis and treatment information, medical procedures, names of family members and legal guardians and mediation information.
Additionally, at the time of the theft, CHCS had not established any policies regarding removing devices containing PHI from the facility. The facility also had no risk analysis or risk management plan.
"Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain or transmit from covered entities," said HHS OCR Director Jocelyn Samuels. "This includes an enterprise-wide risk analysis and corresponding risk management plan, which are cornerstones of the HIPAA Security Rule."
More articles on HIPAA:
Take control of healthcare identity protection and information sharing
States strengthen privacy laws for young adults on parents' health plans
Former ProMedica employee found guilty of HIPAA violation