When it comes to enforcement of privacy rules, you can’t hide behind a cloak. That is the message of a recent federal settlement with the Archdiocese of Philadelphia. The Diocese recently agreed to pay $650,000 to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), relating to the theft of a mobile device containing protected health information for 412 nursing home residents. Take note: We’re talking about a single incident of a stolen device.
The “mea culpa” was in the failure to take measures to prevent such an incident. The Diocese served as a Business Associate, performing IT services for six skilled nursing facilities. But the Diocese had not conducted a security risk assessment to protect the private health information in its care. That translated into the absence of daily procedures to safeguard databases and devices containing health information.
In this and other recent actions, the feds are underscoring an emphasis on holding Business Associates accountable for reasonably protecting private information entrusted to their care.
Click here to read more about what happened, according to an announcement by the U. S. Office for Civil Rights (OCR).