The Department of Health and Human Services’ Office for Civil Rights (OCR) recently entered into its first settlement with a business associate for violating HIPAA security rules. The OCR levied a fine of $650,000 against the Archdiocese of Philadelphia after an iPhone was stolen in 2013 from a Catholic Health Care Services (CHCS) employee. The theft of the phone led to the loss of 412 people’s protected health information (PHI). In 2014, the OCR determined that CHCS failed to perform a security risk analysis or to put a security risk management plan in place.
Another recent PHI breach by a business associate was disclosed by Massachusetts General Hospital. In February, Massachusetts General learned that an unauthorized party had gained access to electronic files stored by Patterson Dental Supply Inc. Patterson Dental Supply provides dental practice management software to the hospital as well as other healthcare providers. The data of 4,300 Massachusetts General dental patients was exposed including birth, social security number, and possibly the date and time of their dental appointments.
The HITECH Act of 2009 made business associates of health organizations subject to HIPAA’s privacy and security rules, just as healthcare organizations are. However, only starting this year has the OCR begun auditing business associates in a formal round of audits.