The Office for Civil Rights, which oversees and enforces HIPAA has fined the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia $650,000 over the theft of an iPhone containing patient information.
The data lost concerned the protected health information of 412 nursing home residents. OCR found that CHCS lacked the required risk analysis and accompanying risk management plan. In particular OCR reported that CHCS lacked policies addressing the removal of mobile devices containing PHI from its facility. They also did not have an incident response plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” OCR Director Jocelyn Samuels said in a statement. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
According to HealthCare IT News, OCR initiated its investigation on April 17, 2014, after it was notified of the stolen phone, which was unencrypted and was not password protected. The information on the iPhone was extensive, OCR found, and it included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians and medication information.