Compliance Data Visibility & Protection Healthcare

First Business Associate HIPAA Penalty Announced

July 18, 2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first resolution agreement with a business associate on June 29th, 2016. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the 2014 theft of an unprotected mobile device put the protected health information (PHI) of 412 nursing home residents at risk.

CHCS, who was responsible for the management and IT services provided to six skilled nursing facilities, agreed to pay a resolution amount of $650,000 and submit to a corrective action plan, which includes two years of direct monitoring by the OCR. The resolution underlines the new focus the OCR is placing on business associates. This was hinted at earlier this year with a new brief on how to manage security incidents involving business associates by ensuring safeguards are adequate, prompt notification, and responding effectively to a data breach. The OCR’s phase two compliance audits will also include evaluations of business associates this year.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels.  “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

At the time of the incident, the OCR determined that the CHCS had no policies addressing the use of mobile devices or the use of PHI on mobile devices. The OCR also determined that CHCS had no risk analysis or risk management plans in place. This settlement also re-enforces that the size of a data breach does not necessarily correlate with the resolution amount.

According to current HIPAA standards, lost or stolen mobile devices which are password protected and encrypted to HIPAA standards are exempt from notification requirements. The corrective action required of CHCS also includes effective security incident response, mobile device controls, and audit and integrity controls, among other requirements.

Absolute DDS for Healthcare provides visibility for your fleet of devices, as well as the data they contain, with alerts for events and activities that could be precursors to a security incident. With insight from Absolute DDS reporting and alerts, you can prevent or respond to data breaches, remotely deleting data or locking down devices, and prove compliance if needed. With full reporting capabilities, you can prove that your data remained protected, even when it was physically outside your control. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at

Compliance Data Visibility & Protection Healthcare

Share this article

Financial Services