November 28, 2020

Volume X, Number 333


Recent Enforcement Action Shows Business Associates Are Not Off the Hook

Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 (the effective date of the relevant provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act), the Department of Health & Human Services, Office for Civil Rights (OCR), announced last Thursday, June 30, 2016, that it has entered into its first resolution agreement with a HIPAA Business Associate.

The resolution agreement is with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) for potential violations of the HIPAA Security Rule and includes a monetary resolution payment of $650,000 and a corrective action plan (CAP). According to OCR’s press release, CHCS provided management and information technology services to six skilled nursing facilities. At the time of the incident, CHCS was also the sole corporate parent of those facilities. In April 2014, OCR initiated an investigation after receiving separate notification from each of the six skilled nursing facilities that CHCS had experienced a breach of protected health information (PHI) when a CHCS-issued employee iPhone was stolen. Significantly, the iPhone was unencrypted and was not password protected. The PHI on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information of 412 individuals. At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also found that CHCS had no risk analysis or risk management plan.  

In determining the settlement amount, OCR stated that it took into account that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS. Under the CAP, OCR will monitor CHCS for two years to ensure CHCS remains compliant with its HIPAA obligations. Among other CAP obligations, CHCS is required to conduct an accurate and thorough risk assessment within 120 days of the effective date of the CAP and to develop written policies and procedures and provide those policies to OCR for review and approval within 150 days of the effective date of the CAP. A copy of the resolution agreement and CAP can be found on the OCR website.

There is no question Business Associates play a large role in creating, maintaining and transmitting PHI; they also play a large role in securing (or failing to secure) PHI. According to OCR’s website, in 2015, eleven 500+ breaches (which are breaches affecting 500 or more individuals) were reported to OCR by Business Associates. In one case, Business Associate Medical Informatics Engineering reported that it was the target of a cyber-attack which affected over 3.9 million individuals. In 2016, ten 500+ breaches have been reported to OCR by Business Associates. Note: These numbers do not include Business Associate breaches affecting less than 500 individuals or breaches reported to Covered Entity clients, which is what Business Associates are required to do under the HIPAA regulations.  

According to OCR Director Jocelyn Samuels: “Business associates must implement the protections of the HIPAA Security Rule for the electronic [PHI] they create, receive, maintain, or transmit from covered entities… This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” Based on the CHCS resolution agreement, the number of 500+ breaches that have been reported to OCR over the past two years by Business Associates, and the inclusion of Business

Associate in OCR’s Phase II HIPAA Audits, which kicked off earlier this year and is scheduled to be completed by the end of 2016, it is only a matter of time before additional OCR investigations will result in resolution agreements with Business Associates. For those Business Associates who have not yet focused on their HIPAA compliance, the CHCS resolution agreement is yet another indicator that OCR means business. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VI, Number 190



About this Author

Erin Fleming Dunlap, Polsinelli, Compliance Matters Attorney, Health Insurance Portability Lawyer,

Erin Dunlap is proactive and quick to respond to clients' needs. She regularly advises health care clients on legal and regulatory compliance matters. She also has a litigation background that enables her to assist clients when things do not go as planned, such as when a laptop containing patient information is stolen, a patient threatens to sue for improper disclosure, or law enforcement demands the production of medical records. 

Erin focuses primarily on privacy and security issues arising under:

  • Health...


In a regulatory environment where even the most minor details matter, Rebecca Frigy Romine thrives on helping clients find practical and creative solutions and action plans.

Her practice focuses on many facets of the general health care business with a specific emphasis on the privacy and security of health information and medical staff issues.

Rebecca has significant experience in and frequently writes on these topics and remains abreast of regulatory changes and best practice.

Lindsay Dailey Health Care Privacy Attorney

Lindsay Dailey serves clients at the intersection of healthcare regulatory and privacy/data security compliance. Prior to joining the firm, Lindsay worked with the American Medical Association, American Dental Association, and Rehabilitation Institute of Chicago. This in-house experience in corporate compliance and regulatory issues serves her practice and her clients well - in fact, she spent over a year in-house secunded to the Privacy Office of a firm client, a national retail pharmacy chain. 

Lindsay graduated law school with a certificate in Health Law, and she was formerly a...