Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

July 08, 2016

Settlement Related to Theft of Mobile Device Further Highlights Need to Revisit Privacy and Security Policies and Procedures As the Audit Process Unfolds

As follow-up to our April 2016 Legal Alert, the need for health care providers to review their privacy and security programs cannot be overemphasized. Last week, Business Associate Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule after the theft of a CHCS mobile device allegedly compromised the protected health information (PHI) of 412 nursing home residents. CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included a monetary payment of $650,000 and a corrective action plan, which included two years of monitoring.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) emphasized, when discussing the settlement, the importance of an enterprise-wide risk analysis and corresponding risk management plan. OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.

OCR stated that at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.

As we reported in April of this year, Phase 2 of the OCR HIPAA Audits is underway, with contact information being obtained by e-mail for many providers already. In addition, many providers have now received a questionnaire designed to gather data about the size, type, and operations of potential audit targets. This data is being used by OCR with other information to develop pools of potential auditees for the purpose of making audit subject selections.

In addition, last month, OCR released further guidance related to the right of individuals under HIPAA to access and receive copies of their health information. The goal of OCR was to make this guidance more understandable for individuals. The tools released are meant to be easy-to-understand and include videos and an illustrated fact sheet. These materials should further sensitize patients as to their rights and providers' duties under the HIPAA rules.


Should you require assistance in ensuring HIPAA compliance, please contact Melissa M. Zambri, Co-Chair of the Barclay Damon Health Care and Human Services Practice Area at 518-429-4229 or mzambri@barclaydamon.com.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Subscribe

Sign up to receive our latest news

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas

Other

Featured Media

Alerts

Third Department Narrows Liability Under Labor Law § 240(1)

Alerts

Coke Ovens May Be Subject to Strict Products Liability

Alerts

Justice Center Prosecutorial Authority Restricted

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out