OCR Enters into First Settlement with a Business Associate for Alleged HIPAA Violations
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is shining a brighter enforcement light on HIPAA business associates.
On June 29, 2016, OCR announced that it settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), an entity that provided management and information technology services as a business associate (BA) of nursing homes.
The alleged violations stemmed from the theft of a mobile device, affecting the electronic protected health information (ePHI) of 412 individuals. The BA agreed to pay a $650,000 resolution amount and enter into a corrective action plan.
OCR began investigating CHCS on April 17, 2014, after receiving breach notifications from six covered entities (CEs) that a CHCS employee’s iPhone, which was issued by CCHS, had been stolen. The iPhone was neither encrypted nor password protected. The iPhone contained “extensive” ePHI, including social security numbers, diagnosis and treatment information, and medication information.
OCR’s investigation indicated the following conduct occurred since September 23, 2013, the Security Rule compliance date for BAs:
CHCS failed to perform a Security Rule risk analysis, which is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; and
CHCS failed to implement a Security Rule risk management plan that identifies appropriate security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.
OCR also reported that at the time of the breach, the BA did not have policies in place to address the removal of mobile devices from its premises and procedures for responding to security incidents, as required by the Security Rule.
As part of the corrective action plan, CHCS is required to conduct an enterprise-wide risk analysis and then formulate a plan that is designed to mitigate the risks identified through the risk analysis to an appropriate level. CCHS is also required to develop and implement Security Rule policies and procedures and train workforce members on them. OCR will monitor CCHS’s compliance with the corrective action plan for two years.
Commenting on the settlement, OCR Director Jocelyn Samuels emphasized: “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities…. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule
This enforcement action is particularly significant because it is the first settlement that OCR has entered into with a business associate to resolve indicated noncompliance with the HIPAA Rules. OCR’s settlement with CCHS signals the agency’s increased attentiveness to the HIPAA compliance practices of business associates after the HIPAA Omnibus Final Rule
took effect in 2013. Under the Omnibus Final Rule, which modified certain aspects of the HIPAA Rules, OCR may hold business associates directly liable
for failures to comply with all of the Security Rule provisions,
certain Privacy Rule provisions,
and their Breach Notification Rule obligations.
A business associate is now also required to cooperate with OCR’s complaint investigations and compliance reviews.
Notably, OCR will soon begin randomly auditing business associates to assess their compliance with the HIPAA Rules as part of Phase 2 of its HIPAA Audit Program
While the CHCS settlement is OCR’s first action against a business associate, OCR has already strongly telegraphed that it will be turning a sharper eye toward these entities:
Regarding this settlement, OCR Director Samuels commented: “Two major cornerstones of the HIPAA Rules were overlooked by this entity …. Organizations must have in place compliant BAAs as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
The CHCS settlement offers importance compliance lessons for both business associates and their covered entity clients.
In a May 3, 2016 email newsletter, OCR cautioned covered entities to consider how they will address a breach by their business associate. This is an area of insecurity for many CEs. While the Breach Notification Rule requires BAs to notify their CE after discovering a breach of unsecured PHI, OCR reports that a large percentage of CEs believe their BAs will not, in fact, notify them of breaches or security incidents. OCR also reports that CEs find it “difficult” to manage security incidents involving BAs, and “impossible” to determine whether their BA’s security policies and procedures are adequate to effectively respond to a breach.
In April 2016, OCR settled potential Privacy Rule violations by a covered entity for failing to execute a compliant BAA. OCR investigated the Raleigh Orthopaedic Clinic, P.A., after receiving a breach report in 2013. The agency’s investigation showed the CE released x-ray films and related protected health information (PHI) of 17,300 patients to an entity that would transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. The CE had not executed a BAA with the entity, “acting as its business associate,” before disclosing the PHI to the BA, indicating violations of 45 C.F.R §§ 164.502(a) and 164.502(e). The CE agreed to pay a $750,000 resolution amount, and enter into a corrective action plan. OCR Director Samuels commented: “HIPAA’s obligation on covered entities to obtain business associate agreements (BAAs) is more than a mere check-the-box paperwork exercise …. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In March 2016, OCR settled potential violations with a covered entity for a breach that occurred at the business associate. OCR began its investigation of North Memorial Health Care, a comprehensive not-for-profit health care system, after receiving a report that an unencrypted, password-protected laptop was stolen from the vehicle of a business associate’s employee. This breach impacted the ePHI of 9,497 North Memorial patients. OCR’s investigation indicated that North Memorial:
Provided a BA with access to the CE’s PHI without obtaining satisfactory assurance from the BA (in the form of a written BAA) that the BA would appropriately safeguard PHI.
Impermissibly disclosed at least 289,904 individuals’ PHI to the BA by providing access to PHI without obtaining the BA’s satisfactory assurances (in the form of a written BAA) that the BA would appropriately safeguard the PHI.
Failed to conduct an accurate and thorough risk analysis that incorporated all of the CE’s information technology equipment, applications, and data systems using ePHI.
1. Covered entities should ensure their BAs are ready for a security incident.
While business associates are now directly liable under the Security Rule and many aspects of the Privacy Rule, covered entities remain responsible for selecting their BAs, properly vetting their physical, technical, and administrative safeguards, and embodying the parties’ agreement in a compliant BAA. OCR has provided suggestions on how CEs can help manage risks to ePHI held by business associates to a manageable level.
According to OCR’s email newsletter, CEs should consider defining in the BAA when and how the BA may use or disclose PHI, with all other uses, disclosures, breaches, or incidents to be reported to the CE.
The BAA should also indicate the timeframe in which the BA must report the breach or security incident to the covered entity, as well as the type of information the BA must provide in its report. Further, CEs should ask their business associates how the BA trains its workforce on incident reporting and should consider auditing and assessing the BA’s security and privacy practices. Covered entities should be particularly mindful of their own, and their BA's, minimum necessary obligations to appropriately limit the amount of PHI that could be exposed by a breach at the BA. CEs should likewise make reasonable efforts to ensure role-based access to PHI at the BA, limiting the opportunity for human error.
2. CEs and BAs should encrypt ePHI.
Encryption is an important concept in both the Breach Notification Rule and the Security Rule. The BNR requires covered entities to notify individuals, HHS, and sometimes the media, of breaches of “unsecured protected health information.”
Unsecured protected health information is PHI that is not rendered “unusable, unreadable, or indecipherable to unauthorized persons” through methods authorized by HHS.
HHS guidance issued in 2009
states that ePHI has been rendered unusable, unreadable, or indecipherable if it has been encrypted by use of an “algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and the confidential process or key that might enable decryption has not been breached.” The guidance specifies certain encryption processes for ePHI at rest and in motion that the National Institute of Standards and Technology (NIST) has tested and judged to meet appropriate Security Rule standards. Under the Security Rule, “encryption” is an addressable implementation specification requiring CEs and BAs to implement a mechanism to encrypt ePHI both at rest and in motion “whenever deemed appropriate.”
So, when is it appropriate to encrypt ePHI at rest and in motion? The answer may be “always,” particularly in the context of mobile device security
. Several substantial OCR enforcement actions stemmed from lost or stolen unencrypted portable electronic devices.
3. CEs and BAs should perform an accurate, thorough, enterprise-wide risk analysis.
The Security Rule requires that covered entities and business associates implement a security management process – policies and procedures to prevent, detect, contain, and correct security violations. A required implementation specification of the security management process is a risk analysis
, which is “an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by” the CE or BA.
As with all Security Rule requirements, CEs and BAs can take a flexible approach to risk analysis, considering – among other things – their size, complexity, and capabilities as well as the probability and criticality of potential risks to ePHI.
While the Security Rule emphasis is always on what is “reasonable and appropriate” for a particular entity, it is impossible to overstate the importance of the risk analysis as a foundational element of the CE’s or BA’s security management process. Former OCR Director Leon Rodriguez has emphasized: “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program …. Proper security measures and policies help mitigate potential risk to patient information.”
4. CEs and BAs should safeguard PHI taken off-site.
CEs and BAs lose a measure of control over PHI once it leaves the entity’s premises. According to a 2015 study of 949 large breaches between 2010 and 2013, more than half resulted from loss or theft of laptops, other portable media, and paper.
Considering that these breaches affected alone affected more than 29 million records, CEs and BAs are rightly concerned about the risks attendant to off-site use.
The Security Rule addresses the issue directly, requiring, CEs and BAs to implement policies and procedures for device and media controls, including the “receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility."
The Privacy Rule more generally requires appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, including safeguarding PHI from unauthorized use or disclosure, whether intentional or unintentional.
OCR’s enforcement actions, including imposition of a civil money penalty in one case
, underscore the importance of analyzing the risks and vulnerabilities attendant to offsite use, implementing policies and procedures to reduce those risks and vulnerabilities to an acceptable level, and appropriately training workforce members.
The time is right for covered entities and business associates to closely examine the BA relationship. Optimizing HIPAA compliance programs protects both individuals and businesses, and a robust risk management program is essential to managing risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information to an acceptable level.
For more information about HIPAA compliance and data security, contact Kim Metzger
, Deepali Doddi
, or another member of our Data Security and Privacy group
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
A “business associate” is a person or entity that creates, receives, maintains, or transmits PHI to provide certain services to the CE (45 C.F.R. § 160.103). Both the Privacy Rule and the Security Rule prohibit disclosing PHI to a business associate unless and until the BA has provided “written assurances” that it will appropriately safeguard the information (45 C.F.R. § 164.502(e)(1) (Privacy Rule); 45 C.F.R. § 164.314(a) (Security Rule)). These assurances must be documented in a “written contract or other arrangements” that meets the requirements of a BAA (45 C.F.R § 164.502(e)(2)). A compliant BAA also clarifies and limits the BA’s permissible uses and disclosures of PHI, based upon the parties’ relationship and the services the BA performs. A BA may only use and disclose PHI as permitted or required by the BAA, or as required by law. BAs are now directly liable under the HIPAA Rules for uses and disclosures that the BAA does not authorize.
See U.S. Dept. of Health and Human Services, Office for Civil Rights, “Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement,” (June 29, 2016), available here
45 CFR 164.308(a)(1)(ii)(A)
45 CFR 164.308(a)(1)(ii)(B)
See 45 C.F.R. § 160.402(a) (noting that HHS may assess civil money penalties against both covered entities and business associates for violations of applicable provisions of the HIPAA Rules).
See 45 C.F.R. § 164.302 (indicating that all provisions of the Security Rule are applicable to both covered entities and business associates).
See, e.g., 45 C.F.R. §§ 164.502(a)(3), 164.502(a)(4), 164.502(e), and 164.504(e).
See 45 C.F.R. §§ 164.410 and 164.412.
See 45 C.F.R. § 160.310(b).
See U.S. Dept. of Health and Human Services, Office for Civil Rights, “OCR Cyber-Awareness Monthly Update (May 3, 2016), available here
45 C.F.R. § 164.410(a)(1).
The Security Rule defines a “security incident” as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. (45 C.F.R. § 164.304). Under the Breach Notification Rule, a “breach” generally means an impermissible acquisition, access, use, or disclosure that compromises the security or privacy of PHI. (45 C.F.R. § 164.402).
45 C.F.R §§ 164.308(b) and 164.502(e).
45 C.F.R. §§ 164.502(a).
45 C.F.R. § 164.308(a)(1)(ii)(A).
See U.S. Dept. of Health and Human Services, Office for Civil Rights, “OCR Cyber-Awareness Monthly Update (May 3, 2016), available here
45 C.F.R. §§ 164.404(a) (notification to affected individuals), 164.406(a) (notification to the media), 164.408(a) (notification to HHS).
74 Fed. Reg. 162 (August 24, 2009).
See 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii)). Note that “addressable” does not mean “optional.” When a standard includes addressable implementation specifications, the CE or BA must (1) implement the implementation specification of reasonable and appropriate, or (2) document why implementation is not reasonable and appropriate, and implement an equivalent alternative measure if reasonable and appropriate. 45 CFR 164.306(d)(3).
45 C.F.R. § 164.308(a)(ii)(A)
45 C.F.R. § 164.306(b)
Liu, V., Musen, MA, and Chou, T. Data Breaches of Protected Health Information in the United States. JAMA
2015; 313(14): 1417-1473. Doi:10.1001/jama.2015.2252.
45 C.F.R. § 164.310(d)(1)
45 C.F.R § 164.530(c)(2)(i)