Settlement Related to Theft of Mobile Device Further Highlights Need to Revisit Privacy and Security Policies and Procedures As the Audit Process Unfolds

As follow-up to our April 2016 Legal Alert, the need for health care providers to review their privacy and security programs cannot be overemphasized. Last week, Business Associate Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule after the theft of a CHCS mobile device allegedly compromised the protected health information (PHI) of 412 nursing home residents. CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included a monetary payment of $650,000 and a corrective action plan, which included two years of monitoring.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) emphasized, when discussing the settlement, the importance of an enterprise-wide risk analysis and corresponding risk management plan. OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information.

OCR stated that at the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.

As we reported in April of this year, Phase 2 of the OCR HIPAA Audits is underway, with contact information being obtained by e-mail for many providers already. In addition, many providers have now received a questionnaire designed to gather data about the size, type, and operations of potential audit targets. This data is being used by OCR with other information to develop pools of potential auditees for the purpose of making audit subject selections.

In addition, last month, OCR released further guidance related to the right of individuals under HIPAA to access and receive copies of their health information. The goal of OCR was to make this guidance more understandable for individuals. The tools released are meant to be easy-to-understand and include videos and an illustrated fact sheet. These materials should further sensitize patients as to their rights and providers' duties under the HIPAA rules.