Our predictions that the Office for Civil Rights (OCR) will become more aggressive with audits, investigations, and fines against HIPAA business associates has come true.

On June 24, 2016, the OCR announced that it has settled an investigation with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), stemming from CHCS’ capacity as a HIPAA business associate, concluding with a fine of $650,000 and a Resolution Agreement. This is the first such settlement and Resolution Agreement with a business associate.

CHCS is the sole corporate parent of six nursing facilities in the Philadelphia area and provides management services to the nursing homes. In February 2014, each of the six nursing facilities self-reported data breaches, which resulted in an investigations that commenced on April 17, 2014. The data breach was caused when 412 nursing home residents’ information was compromised when a mobile device was stolen.

The result of the investigation found that CHCS failed to perform a comprehensive risk analysis since the HITECH Act became effective in September 2013. According to the OCR, at the time of the incident “CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of an incident; OCR also determined that CHCS had no risk analysis or risk management plan.”

This settlement shows the importance of business associates implementing a robust HIPAA compliance program, to include mobile device management. The precedent has been established: business associates take note and be prepared.