For the first time, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has entered into a Resolution Agreement with a business associate over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI). This first settlement likely portends future enforcement actions against business associates for perceived HIPAA violations.

On June 24, 2016, OCR agreed to settle with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a non-profit organization that provided management and information technology services to its six nursing homes as a business associate. OCR alleged that CHCS potentially violated the HIPAA Security Rule after a CHCS-issued employee smartphone containing nursing home residents’ ePHI was stolen.