August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

According to the Resolution Agreement and Corrective Action Plan, CHCS provides management services and is the sole corporate parent of six nursing homes.  After the nursing homes reported the breach of unsecured PHI following the theft of the iPhone, OCR initiated an investigation into CHCS’s compliance with HIPAA.  OCR concluded that CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident.  OCR also found that CHCS had not conducted a risk analysis, as required by the HIPAA Security Rule, and had no risk management plan.

In announcing the substantial financial penalty, OCR noted that it took into account the important services that CHCS provides to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS in the Philadelphia region.

This settlement should put business associates on notice of the potential for significant liability for failure to implement required HIPAA policies and procedures. Furthermore, business associates should take steps to ensure that all PHI on laptops and mobile devices is rendered unreadable and unusable to unauthorized users, such as through encryption.

© 2020 Covington & Burling LLPNational Law Review, Volume VI, Number 189


About this Author

Dena Feldman, healthcare attorney, Covington

Dena Feldman helps clients from across the health care industry navigate a range of complex regulatory and policy issues.

Ms. Feldman has particular expertise on health privacy issues arising under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, and state medical privacy laws. Ms. Feldman also regularly counsels clients on the federal rules and policies governing Medicare and Medicaid, including the new mandates of the Affordable Care Act.