With apologies to John Donne, ask not for whom the bells tolls, HIPAA business
associates, it tolls for thee!  While it has been the law for
some time that business associates could be held directly liable
for breaches, enforcement actions against them have been few and
far between.  But a sizable settlement announced today by the
Office for Civil Rights at the U.S. Department of Health and Human
Services (HHS OCR) reminds us that business associates are going to
be held to the same standards (and subjected to the same penalties)
as HIPAA covered entities.

This $2.3 million settlement involved CHSPSC LLC, which provides IT and health
information management to hospitals and physician clinics owned by
Community Health
Systems, Inc., in Franklin, Tennessee.  In April 2014, the
FBI notified CHSPSC that it had traced a cyberhacking group’s
advanced persistent threat to CHSPSC’s information system.
Despite this notice, the hackers continued to access and exfiltrate
the PHI of 6,121,158 individuals until August 2014. The hackers
used compromised administrative credentials to remotely access
CHSPSC’s information system through its virtual private
network.  OCR ‘s investigation found longstanding,
systemic noncompliance with the HIPAA Security Rule including
failure to conduct a risk analysis, and failures to implement
information system activity review, security incident procedures,
and access controls.   In addition to the monetary
settlement, CHSPSC has agreed to a corrective action plan that includes two years
of monitoring.

To view Foley Hoag’s Security, Privacy and The Law
Blog please click
here

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.