IT service provider agrees to pay $650k for SNF HIPAA breach

A Philadelphia IT services provider has agreed to pay more than one-half million dollars to settle a case of a stolen nursing home employee smartphone containing residents’ personal medical information.

Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), which provides information technology and management services to six nursing homes, has agreed to pay $650,000 and implement a two-year corrective action plan to mitigate against further violations, according to a document from the U.S. Department of Health & Human Services Office for Civil Rights (OCR).

The case involved the 2014 theft of a mobile phone, which had access to more than 400 residents’ medical information and social security numbers. The CHCS-issued phone had not been encrypted or password-protected. CHCS also had not conducted "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI," and did not "implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply" with HIPAA data privacy rules, the OCR document states.

The agreement is the first OCR settlement to include a business associate as the liable entity: CHCS acted as the third-party provider of IT services for the nursing homes and was responsible for the smartphone, the case claims.

The case highlights the need for business partners and third-party service providers to be as diligent about data security protocols as the care providers. The OCR began holding business associates liable for HIPAA privacy in 2013, and the earliest cases are now beginning to reach settlements.

Topics: Technology & IT