The U.S. Department of Health & Human Services Office for Civil Rights (OCR) has entered into a Resolution Agreement with a business associate over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI).

On June 24, 2016, OCR agreed to settle with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provided management and information technology services to its six nursing homes as a business associate. OCR alleged that CHCS potentially violated the HIPAA Security Rule after a CHCS-issued employee smartphone containing nursing home residents’ ePHI was stolen.  As part of the settlement, CHCS agreed to pay $650,000 and adhere to a two-year corrective action plan requiring the business associate to: conduct annual risk assessments; develop, maintain, and revise its policies and procedures to address a number of Security Rule requirements, including encryption of ePHI, audit controls, integrity controls, log-in monitoring, and password management; provide training for all workforce member with access to ePHI; and submit annual compliance reports to OCR, among other provisions.

OCR first began holding business associates directly liable under HIPAA in 2013.  Because OCR settlement agreements often come two to three years after an initial incident – providing time for agency investigation – the timing of this first settlement is right on track, and we are likely to see settlements with business associates interspersed with covered entity settlements in the coming years.  For more details and key takeaways, you can read the full advisory here.