Client Alert: First OCR HIPAA Settlement with a Business Associate Highlights Seriousness of Increased Scrutiny on Vendors

Client Alerts Privacy & Data Security

Tara Cho
Elizabeth Johnson

The Office for Civil Rights (OCR) has announced its first HIPAA settlement agreement directly with a business associate. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) entered into a resolution agreement with OCR that provides a $650,000 resolution payment and 2-year corrective action plan. In February 2014, OCR received notifications from each of CHCS’s six skilled nursing facility clients. The notice detailed that a CHCS employee’s unencrypted iPhone was stolen and contained protected health information (PHI). OCR investigated the breach and determined that CHCS failed to conduct a thorough risk analysis or to implement appropriate security measures to reduce the risks to PHI. This settlement continues OCR’s heightened scrutiny of business associates, a trend detailed in this article.

Prior to the CHCS action, OCR also concluded two settlements with covered entities that focused heavily on the absence of a business associate agreement (BAA) with vendors handling PHI. The resolution payments were $750,000 and $1,550,000 and, like CHCS, both organizations are under a corrective action plan.

In March 2016, OCR launched Phase 2 of its HIPAA Audit Program, which will be leveraged to determine the specific identities of covered entities’ business associates. OCR’s intention is to thereafter expand audits to include business associates. In our practice, we also have increasingly seen OCR compliance reviews questioning business associate practices and frequently inquiring directly of business associates regarding their HIPAA compliance. These efforts and the CHCS action are the beginning of what we believe will be a sustained effort by OCR to send a message to the business associate community that HIPAA compliance is important and failure to comply will be subject to sanctions.

Business associates are contractually responsible for complying with BAAs, and are directly responsible for complying with the HIPAA Security Rule and applicable provisions of the Privacy and Breach Notification Rules. It is now necessary for business associates to be prepared for HIPAA audits, investigations, or compliance reviews which may result in direct enforcement and liability. Business associates can expect to hear from OCR directly after a breach is reported or an individual complaint is filed with OCR that arises from their conduct.

The Privacy and Data Security team at Wyrick Robbins Yates & Ponton LLP frequently assists covered entities and business associates with compliance initiatives, such as developing HIPAA compliance programs, conducting HIPAA risk analyses and compliance assessments, negotiating BAAs, and responding to OCR inquiries and compliance reviews. Please contact us with any questions about these issues or related HIPAA matters.