HIPPA Compliance and Mobile Devices

August 3, 2016
No Comments

HHS Issued a Fine After a Stolen Phone Resulted in HIPPA Compliance Violations

HIPPA compliance violations represent a significant threat to patient privacy and the financial security of healthcare institutions. Lost, stolen or hacked mobile devices may be a weak link in an organization’s HIPPA compliance efforts. Consequently, healthcare providers must take meaningful precautions to ensure all mobile devices are well-secured and meet guidelines for HIPPA compliance. As the following story form lexology.com indicates, failure to comply can by devastating.

‘On June 24, 2016, the non-profit Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule with the U.S. Department of Health and Human Services (HHS). This is HHS’ first resolution agreement and monetary penalty against a business associate (BA) under HIPAA.

CHCS provides management and IT services to nursing facilities as a BA. The alleged HIPAA violations arose from theft of a CHCS mobile device, compromising 412 nursing home residents’ protected health information (PHI). HHS’ investigation results indicate that CHCS failed to (1) conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI, and (2) implement appropriate security measures to reduce such risks and vulnerabilities, in violation of HIPAA’s Security Rule.

Under the settlement, CHCS has agreed to pay HHS $650,000 and comply with a comprehensive Corrective Action Plan (CAP). The CAP requires CHCS to conduct an accurate and thorough security risk assessment; develop, maintain, and implement comprehensive security policies and procedures; educate its workforce on such policies and procedures and train them on security issues; report internal violations of its security policies and procedures to HHS; provide copies of its BA agreements to HHS; maintain compliance records for a period of 6 years; and submit annual compliance reports to HHS.

HHS continues to ramp-up its HIPAA enforcement activities. This case is surely just the first of many enforcement actions against BAs, especially since HHS will start conducting its HIPAA compliance audits of select BAs this fall under Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program (previously discussed on Arent Fox’s Health Care Counsel blog herehere, and here). As a result, businesses that provide goods and services to covered entities (and to BAs) and may come into contact with PHI should carefully assess whether they are subject to HIPAA as a BA. If so, they should have a rigorous HIPAA compliance program in place.’

St. Louis is fortunate to have such a vibrant healthcare industry. To ensure HIPPA compliance, patient privacy and healthcare provider viability, Aglet Technology takes seriously the need to secure mobile devices for St. Louis area healthcare providers. For a consultation, or assistance with compliance, please call 314-200-8995

Layout mode
Predefined Skins
Custom Colors
Choose your skin color
Patterns Background
Images Background