Not-for-Profit Business Associate—No Risk Analysis: $650,000 Settlement: HIPAA & HITECH Act Blog by Jonathan P. Tomes

Home \ HIPAA & HITECH BLOG \ HIPAA Compliance Blog \ Not-for-Profit Business Associate—No Risk Analysis: $650,000 Settlement: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesThe Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a not-for-profit business associate, was the corporate owner of six nursing homes and provided management services for them. In February 2014, the nursing homes submitted a breach notice to the DHHS Office for Civil Rights (“OCR”). During the OCR investigation into the breach, it discovered that CHCS, in its capacity as a business associate by virtue of performing management services, had not updated its risk analysis since September 23, 2013, the compliance date of the Security Rule for business associates.

In imposing the $650,000 settlement in lieu of a civil money penalty and an agreement to implement a corrective action plan (“CAP”), DHHS noted:

“The settlement should serve as a warning to all covered entities and business associate that the OCR will pursue civil money penalties for violations of HIPAA Rules. With the second round of HIPAA compliance audits looming, healthcare organizations should ensure that a HIPAA-compliant risk assessment is performed that covers all systems, policies, and procedures. Following the risk analysis an action plan should be developed and implemented to remediate any risks developed during the risk analysis.

“Any HIPAA covered entity selected for audit will likely be asked to provide documentary evidence that demonstrates that a risk analysis has been conducted and that a risk management plan has been executed. HIPAA Journal, June 30, 2016, “Philadelphia Business Associate Agrees to a $650,000 Settlement at http://www.hipaajournal.com/philadelphia-business-associate-agrees-650000-ocr-settlement-3490/.

See http://www.hhs.gov/sites/default/files/chcs-racap-final.pdf for the resolution agreement.

This language demonstrates that you cannot wait until after you have received notice of an audit and throw together the required risk analysis because you will not have time to execute the required accompanying risk management program. Do your required risk analysis now. Do not wait another minute. If you need help, contact us. We are not cheap, but we are very good.

On July 4th, 2016, posted in: HIPAA Compliance Blog by Tags: , , , , , , , , ,

Blog Categories

RSS Feed / Social Media

RSS feed
seo by: k.c. seo