Philadelphia BA Agrees to $650K OCR Payment

The Division of Health and Human Services’ OCR issued particulars of a settlement which was concluded with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) on June 24, 2016.  CHCS has approved to settle down suspected HIPAA breaches with the Office for Civil Rights OCR as well as has approved to execute a Corrective Action Plan. Catholic Health Care Services of the Archdiocese of Philadelphia will also reimburse a financial fine of $650K.

CHCS is the only business parent of 6 nurturing services – St. Martha’s Manor, St. Mary’s Manor, St. John Neumann Home, Immaculate Mary Home, St. Francis Country House, and St. Monica’s Manor – as well as delivers management facilities to the nursing services. In its role as a HIPAA business partner, CHCS must abide by HIPAA Laws.

Each of the 6 nursing services presented a break notice to the Office for Civil Rights concerning a break of ePHI, in February 2014. The Office for Civil Rights started an inquiry into the break on April 17, 2014.

A huge number of OCR inquiries into ePHI breaks have exposed failures to abide by HIPAA administrative precautions – particularly 45 C.F.R. § 164.308(a)(1)(ii)(A). This execution requirement needs covered bodies as well as their BAs to carry out a complete organization-wide threat investigation.

The aim of the risk analysis is to find “possible vulnerabilities and risks to the integrity, confidentiality, and accessibility of electrically safeguarded health info.”  In case a risk analysis isn’t performed ePHI might be in danger of being undermined, be not known to the covered body or BA.

OCR examiners concluded that Catholic Health Care Services of the Archdiocese of Philadelphia had failed to carry out a complete risk examination since September 23, 2013. Catholic Health Care Services of the Archdiocese of Philadelphia also failed to apply correct safety measures to tackle dangers to ePHI as per 45 C.F.R. § 164.308(a)(1)(ii)(B).

The agreement must serve as a notice to all covered bodies as well as their BAs that the OCR will impose civil monetary fines for breaches of HIPAA Laws. With the 2nd cycle of HIPAA conformity audits forthcoming, healthcare companies must make sure that a HIPAA-compliant danger evaluation is carried out which covers all policies, systems, and procedures. Obeying the risk examination an action plan must be created and applied to correct any dangers noticed in the course of the risk examination.

Any HIPAA covered body chosen for audit will probably be questioned to present documentary proof that shows that a danger examination has been carried out and that a danger managing strategy has been performed.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.