The federal government really, really wants anyone with consumers’ health information on a mobile device to encrypt the information and enable password protection.
The Office for Civil Rights, part of the U.S. Department of Health and Human Services, made that point clear in an announcement of a $650,000 settlement agreement negotiated with Catholic Health Care Services, a health care services unit of the Archdiocese of Philadelphia.
Related: Hey: Yes, the NAIC is talking to you
The Office for Civil Rights classifies Catholic Health Care Services as a “business associate” for purposes of applying Health Insurance Portability and Accountability Act health information security and privacy rules.
That means the civil rights office is handling the health care services unit using the same rules it might apply to an insurance agency or insurance brokerage firm.
The Office for Civil Rights treats a health insurer as an entity directly covered by the HIPAA data security rule. The agency has said it will treat any agents or brokers that do business with a covered entity insurer as business associates of the insurer.
An employee at Catholic Health Care Services reported the theft of an employer-provided iPhone in 2013.
The phone contained protected health information for 412 people in six separate Catholic Health Care Services nursing homes, Office for Civil Rights officials say. Entries included consumers’ Social Security numbers, diagnoses, medications and caregiver contact information.
The nursing homes themselves reported the theft of the phone to the Office for Civil Rights in 2014.
The Office for Civil Rights says Catholic Health Care Services made no systematic effort to assess potential health information risks, had no plans for how it would respond to a data security incident, and was not using encryption or phone password protection to protect the health information on the stolen phone.
The settlement agreement
Catholic Health Care Services sold the nursing homes involved in the case to another organization in 2014, but the health care services unit still has responsibility for the proceedings involving the stolen iPhone.
The Office for Civil Rights and Catholic Health Care Services negotiated the settlement agreement to resolve, according to the agreement text.
Catholic Health Care Services is not admitting any liability, and the Office for Civil Rights is not making any concessions about whether the health care services unit is or is not in violation of HIPAA data security rules, according to the text.
In addition to agreeing to pay $650,000 to the Office for Civil Rights, Catholic Health Care Services has agreed to comply with a corrective action plan. Catholic Health Care Services is supposed to develop data security and disaster recovery policies and take other steps to improve how it handles health information.
The Office for Civil Rights and Catholic Health Care Services are not calling the $650,000 payment a penalty or fine. If the health care services unit violates the corrective action plan requirements, it might still have to pay a civil monetary penalty, according to a settlement agreement appendix.
The Office for Civil Rights considered the value of the services Catholic Health Care Services provides for the elderly, young adults aging out of foster care, and others in the Philadelphia area when it determined the resolution amount, officials say.
Jocelyn Samuels, director of the Office for Civil Rights, says in a statement that it wants to see business associates of HIPAA-covered entities analyze data risks and develop risk management plans.
“Business associates must implement the protections of the HIPAA security rule for the electronic protected health information they create, receive, maintain or transmit from covered entities,” Samuels says.
Kenneth Gavin, a spokesman for the Philadelphia archdiocese, says in a statement on behalf of Catholic Health Care Services that the Office for Civil Rights settlement was reached in a voluntary and amicable fashion.
“There have been no reports of unauthorized access to patient information on the stolen iPhone, and all individuals that may have been affected were timely notified,” Gavin says in the statement. “Since the theft, [Catholic Health Care Services] has taken corrective measures and remains committed to complying with HIPAA and diligently safeguarding its clients’ protected health information while serving the greater Philadelphia community.”
Have you followed us on Facebook?