A health care services company entered into a resolution agreement with the U.S. Department of Health and Human Services over an alleged HIPAA breach. The company agreed to pay $650,000 and follow a corrective action plan.
The alleged violation stemmed from the loss of a company-owned iPhone. An employee’s iPhone was stolen, and the phone contained information relating to 412 nursing home residents. Information included social security numbers, medical diagnoses, and medication information. The phone was not password protected and the information was not encrypted.
The company itself was not a covered entity, but it was a business associate of an organization’s health plan. This incident reinforces the importance of business associates having proper HIPAA policies and procedures. A copy of the resolution agreement can be reviewed here.