By Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates
On July 5, the Office for Civil Rights (OCR) announced its first settlement with a business associate. The business associate, which provides IT and management to six nursing homes, agreed to pay $650,000 to resolve potential HIPAA violations. OCR claims that an unencrypted iPhone was stolen from a business associate employee. The iPhone, which was not password protected, held ePHI for 412 nursing home residents, including SSN, diagnosis and treatment information, medications, and family member information.
It could have been worse
In its press release, OCR made a point of noting that it considered that the nursing homes involved “provide…unique and much-needed services… to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.” This statement suggests that the company’s services and customer needs lowered the settlement amount.
As part of the two-year settlement, the business associate agreed to, among other things:
- Conduct and document a HIPAA security risk assessment
- Develop and implement security policies and procedures
- Distribute the security policies and procedures to the entire workforce
- Update policies and procedures
- Investigation policy and procedure violations and breaches
- Provide business associate agreements to the Secretary
- Provide security training to the workforce
The above settlement terms map out HIPAA security compliance steps that all covered entities and business associates should take to prepare for OCR audits – plus, of course enacting remote access and mobile device policies to protect ePHI in an increasingly mobile work environment.
[clickToTweet tweet=”HIPAA alert: First Settlement With a Business Associate @mpaCompliance” quote=”HIPAA alert: First Settlement With a Business Associate” theme=”style3″]