PHILADELPHIA — A lost smartphone that led to a data breach has ended up costing a health care management company $650,000 and points to the importance of securing protected health information, according to a lawyer who practices health care law.
On June 30, the Office for Civil Rights in the U.S. Department of Health and Human Services announced a settlement with the Catholic Health Care Services of the Archdiocese of Philadelphia over an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA). The company, which provides health care management at nursing homes in Philadelphia, agreed to pay $650,000 and put in place plans to prevent another breach.
“I think one of the big takeaways from a settlement like this is this could happen to any business associate, and it could happen to any covered entity,” Bruce Armon, chair of Saul Ewing’s health care practice group, told the Pennsylvania Record. “It underscores the importance of making sure the organization is thoughtful about how protected health information is being handled, how it's being used, and the various media its employees may use to effectively do their job.”
The breach, which affected more than 400 patients, apparently happened after an employee’s company-issued iPhone was stolen. The iPhone wasn’t encrypted, nor was its passcode secured, according to the Office for Civil Rights.
The theft or loss of a smartphone might seem like a commonplace occurrence, Armon said, but, as in this case, it can affect both patients and businesses.
“I think it's an important takeaway for any organization that's handling (protected health information) to make sure they've taken reasonable safeguards to protect patients' information,” he said. “It's a very significant settlement for what seemingly is a small issue that had major consequences for the organization.”
In addition to paying the money, the company agreed to undertake a security audit, create written security policies and train employees. Any company or organization that works with protected health information should consider the steps the settlement lays out a guideline for complying with HIPAA, Armon said.
“Under HIPAA, there are requirements under the privacy rule and the security rule,” he said. “Under the security rule, which is really the focus of this settlement, there's a series of required and addressable implementation standards that a party needs to abide by.
“A couple of things that the HHS Office for Civil Rights identified is to make sure that the company has done a risk assessment so that they understand how they can reduce risks and vulnerabilities to protected health information. They then wanted to make sure there were policies in place in written form so everyone who was handling this information would understand what the company's policies are. Policies reduce ambiguities in terms of what the workforce’s responsibilities are.
“As far as providing security training, there are a variety of things that can be a part of that, but it's really the who, what, where, why and how in terms of how information is to be handled, how it's to be shared, how it's to be protected and at the same time allow these people to do their everyday job.”
The case underscores not only the importance of complying with HIPAA, he said, but also the risks and benefits that new technology brings.
“It's a double-edged sword,” Armon said. “The technology allows all of us to do our jobs in a much easier fashion, and it also complicates compliance efforts, because we do have so much more readily available access to data. That means we need to provide an enhanced level of protection to ensure that we're being compliant with that information.”