The question of whether or not IT services providers need to concern themselves with compliance regulations like HIPAA seems to have been answered definitively and for all time. In July of 2016, the Catholic Health Care Services of the Archdiocese of Philadelphia, also commonly referred to as the CHCS, has agreed to pay a massive fine totaling $650,000 to settle violations relating to patient data that was stolen from a smartphone in their care.
HIPAA Compliance and "Covered Entities"
After a lengthy probe launched by the Office of Civil Rights that began in April of 2014, CHCS was deemed a "business associate" of the healthcare organizations that it was providing technology services to. Indeed, even though the smartphone itself was not under the care of CHCS officials when it was compromised, the fact that it was issued by CHCS was enough to hold them responsible for everything that happened afterwards. Specifically, investigators determined that CHCS' main failing was the fact that at the time when the smartphone was compromised, they had no policies in place that would allow them to remotely remove or wipe devices that contained patient health information from its infrastructure. They also had no plan in place for what to do in the event of a security incident like the exact one that they ended up facing. This, due to a lack of risk analysis and risk management plan, turned into a costly lesson that CHCS will likely not forget anytime soon.
An Uncertain Future for CHCS
CHCS' relationship with this HIPAA compliance investigation does not end the moment they pay their fine, however. Under the current terms, OCR will continue to monitor CHCS and will work with officials within the organization for the next two years to help guarantee they remain compliant with all HIPAA obligations as a result of their role as a Business Associate for the foreseeable future. Depending on how things go, this period could be extended beyond the two years dictated by the settlement.
This is the type of situation that goes a long way towards proving that the importance of HIPAA compliant software cannot be overstated enough. Had those parties involved been using a HIPAA compliant FTP site to store and manage patient data to store and manage patient data, the fact that a single smartphone was compromised would not have resulted in any privacy issues at all - let alone the type of HIPAA compliance violations that ended up costing $650,000. Unfortunately, with more than $9 million in fines being handed out due to similar situations in 2016 alone, this seems to be one lesson that a wide range of IT services providers will need to learn the hard way.