iPhone or Pay Phone? HIPAA Business Associate Loses Cell Phone And Pays $650,000 to HHS
Talk about a toll call.
In late June 2016, the U.S. Department of Health and Human Services (“HHS”) announced the first ever HIPAA settlement by a business associate: $650,000 (plus a two-year corrective plan) for the loss of an iPhone containing the protected health information ("PHI") of 412 people.
You (should) all know that if your practice or healthcare business is a “covered entity” under HIPAA, as are most medical practices and businesses, you must protect your patients’/customers’ PHI under the HIPAA Privacy and Security Rules. In identical manner, your HIPAA business associates, with whom you must have business associate agreements in place (you do, right?), must also adhere to the HIPAA Rules imposed to protect PHI.
Unfortunately, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a business associate, let things slip.
CHCS was originally the corporate parent of six nursing homes; it also provided management services to the facilities. CHCS transferred ownership of the nursing homes to a third party but continued to serve as a business associate providing management services and information technology services to the six facilities.
HHS’ Office of Civil Rights (“OCR”), the department charged with enforcing HIPAA, was notified of a PHI breach at CHCS due to the theft of a CHCS-issued employee iPhone. It launched an investigation.
The iPhone was unencrypted and was not password protected. It contained extensive protected information including social security numbers, information regarding diagnosis and treatment, descriptions of medical procedures, names of family members and legal guardians, and medication information.
As a business associate, CHCS was required to implement the protections of the HIPAA Security Rule for the electronic protected health information it creates, receives, maintains, or transmits from covered entities. That included the information on the stolen iPhone.
As a business associate, CHCS was also required to conduct an enterprise-wide risk analysis and corresponding risk management plan - steps which are cornerstones of the HIPAA Security Rule.
The OCR investigation revealed the CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident. OCR also discovered that CHCS had not performed a risk analysis and had no risk management plan in place.
Please Deposit 2.6 Million Quarters
HHS agreed to resolve CHCS’s HIPAA business associate liability for the breach in exchange for CHCS’s payment of $650,000 (that’s 2.6 Million quarters for those of you who remember pay phones), plus entry into a two-year correction plan requiring a risk analysis, risk management plan, the adoption and distribution of specific policies designed to protect PHI, and training.
Reverse The Charges
No matter whether you’re a covered entity or a business associate, you must fully comply with all applicable HIPAA Privacy and Security Rule requirements. (And, remember that business associates must have business associate agreements in place with their downstream business associates.)
You must have a HIPAA compliance plan in place and make it a “living document.” Audit your current compliance, conduct a risk analysis and develop a corresponding risk management plan. Adopt the proper policies, publish them to your staff, and provide training.
Even if you believe that you’ve taken these steps, check again.
Contact Mark F. Weiss to discuss how we can assist you in the process. After all, the call today will be less than $650,000.
Wisdom. Applied. 91 - Why Document The Value Of A Group Member's Interest?
They say that beauty is in the eyes of the beholder.
But the value of a physician's interest in a medical group is in the eyes of the holder -- the holder of the pen so to speak: those in control of the terms of the buy-in and buy-out provisions of your group's shareholders or partnership agreement.
File this month’s All Things Personal column under the “stupid ass management” category.
The customer may not always be right. But don’t assume from the start that he’s lying.
I traveled a lot on business last week and at one stop rented a car from Budget Car Rental, a brand of Avis Budget Group, Inc. In fact, I reserved and paid for the car in advance.
Yet when I arrived at their airport location, the Budget employee told me, as she pointed to a piece of paper, that I had no reservation because my name “was not on the list.”
I told her that I had made the reservation and prepaid using my Budget “Fastbreak” (an obvious misnomer) member number, and that just because my name’s not on the list doesn’t mean that I don’t have a reservation.
No, she told me, it was impossible.
Only after I both gave her my Fastbreak member number and showed her the confirmation email on my phone did she take me seriously.
When I returned to Budget two days later to drop off the car, the doors to the Budget office were locked, yet two employees were talking to each other inside. When they heard me try to open the door, one yelled to me to leave the keys in the outside dropbox. He told me that they hadn't had their coffee yet.
Who (doesn't) manage these employees? Who (doesn't) train them? The "manager" should be fired.
Which leads me to the point of this piece, which is not simply to dump on Budget: We should all be concerned about how our own staff and outsourced “customer service” personnel are treating our clients and patients.
Do you have the equivalent of the woman working for Budget right in your own office? If so, who’s to blame?
Recently Published Blog Posts
Mark F. Weiss
The Mark F. Weiss Law Firm, a Professional Corporation
(Formerly known as Advisory Law Group, a Professional Corporation)
SANTA BARBARA OFFICE:
1227 De La Vina Street
Santa Barbara, CA 93101
Tel: 805 695 8107
LOS ANGELES OFFICE:
10940 Wilshire Boulevard
Los Angeles, CA 90024
Tel: 310 843 2800
211 N. Ervay
Read Mark Weiss' blog, "Wisdom. Applied." at
Sign up for our complementary email newsletter, Advisory E-Alert, at
THIS EMAIL IS INTENDED ONLY FOR THE PERSON OR PERSONS TO WHOM IT IS ADDRESSED. IF YOU ARE NOT AN INTENDED RECIPIENT, PLEASE CONTACT
IMMEDIATELY. This email may contain confidential and/or privileged information protected under applicable law which may be exempt from disclosure. If you are not an intended recipient or are not the person who is responsible for delivering the message to an intended recipient, please note that any distribution, copying or other dissemination of this email is absolutely prohibited.
© 2016 The Mark F. Weiss Law Firm, A Professional Corporation
The Mark F. Weiss Law Firm 1227 De La Vina St. Santa Barbara, California 93101 United States (310) 843-2800
NEW BOOK OFFER
Having fallen for the fallacy that there’s profit in market share, hospitals have gorged on acquisitions and on employment and alignment of physicians. Many physicians have been willing participants through practice sales and in the belief that there’s safety in hospital employment. But it’s becoming evident that physician employment leads to losses and that integrated care delivers neither better care nor lower costs. And now, technology is about to moot many of the reasons for a hospital’s existence. How can your practice survive and even thrive in the post-hospital world?
The Impending Death of Hospitals is available for purchase in hard copy or in Kindle format on Amazon or you can download a complimentary PDF version here.
Today’s medical groups must confront multiple challenges: The impact of Obamacare. Increasing commoditization. More competition, not just from other physicians and medical professionals, but also from hospitals, investor-owned groups, and disruptive ventures. Yet at the same time, the future of healthcare offers medical groups tremendous opportunity.
This small book is a collection of essays, of thoughts as thinking tools for your success. Read. Think. Succeed. Repeat.
Some days, it seems as if everyone, from anesthesia groups to vascular surgery practices, is talking about selling their practice to a larger group, to private equity investors, or to a hospital.
The reality is that some practices can be sold, some can never be sold, and some have nothing to sell.
The reality also is that there are a number of strategic alternatives to a practice sale.
A perfect storm of factors is accelerating the market for hospital-based medical group mergers and acquisitions.
The healthcare market is changing rapidly, bringing new sets of problems.
How can you find a solution, how can you engage in the right development of strategy, and how can you to plan your, or your group’s, future without tools to help clarify your thinking?
Directions is a collection of thoughts as thinking tools, each intended to instruct, inform, and even more so, cause you to give pause to instruct and inform yourself.
If you're an independent learner or need a refresher on a current topic, click here to find out about our growing list of Knowledge Products.
Recent Interviews and Published Articles
Finders keepers, losers weepers. Except in connection with overpayments from Medicare, then it’s a violation of the federal False Claims Act leading to significant liability—that is, unless you repay the overpaid sum within 60 days. Read
CMS Resets the Clock for Return Of Medicare Overpayments
in May 2016.
A New Strategy To Profit From Interventional Radiology
, co-authored with Cecilia Kronawitter, was published on AuntMinne.com on May 23, 2016. Read or download
Three of Mark’s blog posts were republished as a column entitled
in the Spring 2016 issue of the Pennsylvania Society of Anesthesiologists Newsletter, the
. Read or download
Mark's article Is There An Interventional Radiology ASC (irASC) In Your Future? was published in the April/May 2016 volume of Radiology Business Journal. Read or download here.
Mark's article Impending Death of Hospitals: Will Your Anesthesia Practice Survive? was published in the winter 2016 volume of Communique. Read or download here.
Mark was quoted in the article Practice Patterns Change While Outcomes Remain Steady Among Older Anesthesiologists, published in the December 2015 issue of Anesthesiology News. Read or download here.
Mark's article Anesthesia Group Mergers, Acquisitions and (Importantly) Alternatives was published in the summer 2015 volume of Communique. Read or download here.
Mark was quoted in the article Anesthesiology Acquisition Rate Still at Fevered Pace, published in the July 2015 issue of Anesthesiology News. Read or download here.
Mark's article Seeking Certainty In Radiology: Mergers, Acquisitions and Alternatives was published in June 2015 on Imagingbiz.com. Read or download here.