The federal government really, really wants anyone with consumers’ health information on a mobile device to encrypt the information and enable password protection.
The Office for Civil Rights, part of the U.S. Department of Health and Human Services, made that point clear in an announcement of a $650,000 settlement agreement negotiated with Catholic Health Care Services, a health care services unit of the Archdiocese of Philadelphia.
Related: Hey: Yes, the NAIC is talking to you
The Office for Civil Rights classifies Catholic Health Care Services as a “business associate” for purposes of applying Health Insurance Portability and Accountability Act health information security and privacy rules.
That means the civil rights office is handling the health care services unit using the same rules it might apply to an insurance agency or insurance brokerage firm.
The Office for Civil Rights treats a health insurer as an entity directly covered by the HIPAA data security rule. The agency has said it will treat any agents or brokers that do business with a covered entity insurer as business associates of the insurer.
The allegations
An employee at Catholic Health Care Services reported the theft of an employer-provided iPhone in 2013.
The phone contained protected health information for 412 people in six separate Catholic Health Care Services nursing homes, Office for Civil Rights officials say. Entries included consumers’ Social Security numbers, diagnoses, medications and caregiver contact information.
The nursing homes themselves reported the theft of the phone to the Office for Civil Rights in 2014.
The Office for Civil Rights says Catholic Health Care Services made no systematic effort to assess potential health information risks, had no plans for how it would respond to a data security incident, and was not using encryption or phone password protection to protect the health information on the stolen phone.
The settlement agreement
Catholic Health Care Services sold the nursing homes involved in the case to another organization in 2014, but the health care services unit still has responsibility for the proceedings involving the stolen iPhone.
The Office for Civil Rights and Catholic Health Care Services negotiated the settlement agreement to resolve, according to the agreement text.